CVE-2025-9135 is a medium-severity vulnerability affecting the Android applications Verkehrsauskunft Österreich SmartRide, cleVVVer, BusBahnBim, and Salzburg Verkehr up to version 12.1.1(258). The vulnerability arises from improper export of Android application components due to misconfiguration in the AndroidManifest.xml file. Specifically, an unknown function or component within the manifest is exported improperly, allowing local attackers to potentially interact with or manipulate these components. The attack vector requires local access to the device, meaning the attacker must have physical or local access to the Android device running the vulnerable app. The vulnerability does not require user interaction or elevated privileges beyond low privileges, but it does require local access. The vendor addressed the issue by removing the task affinity of the app, preventing the app from being copied or misused in this manner, and released a fixed version 12.1.2(259). The CVSS 4.0 base score is 4.8, reflecting a medium severity with low attack complexity, no user interaction, and limited confidentiality, integrity, and availability impacts. The exploit is publicly available, increasing the risk of exploitation, although no known exploits in the wild have been reported yet. This vulnerability could allow local attackers to access or manipulate app components that were not intended to be accessible externally, potentially leading to unauthorized information disclosure or limited interference with app behavior.

For European organizations, especially those involved in public transportation, mobility services, or urban infrastructure relying on these Android applications, this vulnerability poses a risk of local device compromise or data leakage. Since the affected apps are used in Austria and possibly neighboring countries, organizations managing or supporting these apps could face risks related to unauthorized access to app components, potentially exposing sensitive user data or disrupting service functionality. The local attack requirement limits the scope to insiders or individuals with physical access to devices, such as employees, contractors, or passengers using shared or public devices. However, the public availability of the exploit increases the risk of opportunistic attacks. Confidentiality could be impacted if sensitive data within the app components is exposed. Integrity and availability impacts are limited but could affect app behavior or data accuracy. Overall, the threat is moderate but relevant for organizations relying on these apps for critical transportation services or user engagement in Europe.

Organizations should ensure that all affected Android applications are updated promptly to version 12.1.2(259) or later, which contains the fix removing task affinity and correcting the export settings in AndroidManifest.xml. Device management policies should enforce app updates and restrict installation of vulnerable versions. For devices used in shared or public environments, additional controls such as device access restrictions, user authentication, and physical security measures should be implemented to prevent unauthorized local access. Developers and security teams should audit AndroidManifest.xml files in similar applications to verify that only intended components are exported and that task affinity or other manifest attributes do not allow unintended app cloning or component reuse. Regular security assessments and penetration tests focusing on local privilege escalation and component exposure should be conducted. Finally, user awareness campaigns can help reduce risks associated with local device access.