CVE-2025-9135 is a medium-severity vulnerability affecting the Android application Verkehrsauskunft Österreich SmartRide, as well as related apps cleVVVer and BusBahnBim up to version 12.1.1(258). The root cause is an improper export of Android application components due to a misconfiguration or flaw in the AndroidManifest.xml file. This file defines the app's components and their accessibility to other apps or system processes. Improperly exported components can be accessed or invoked by unauthorized local applications, potentially leading to unauthorized information disclosure, privilege escalation, or manipulation of app behavior. The attack vector requires local access to the device, meaning an attacker must have physical or local software access to the device to exploit the vulnerability. No user interaction or elevated privileges are required beyond local access, and the vulnerability affects confidentiality, integrity, and availability to a limited extent. The CVSS 4.0 score is 4.8 (medium), reflecting low attack complexity but limited scope and impact. The vulnerability is resolved by upgrading to version 12.1.2(259), which corrects the manifest configuration to restrict component export. No known exploits are currently in the wild, but a public exploit exists, increasing the risk of exploitation. This vulnerability is significant for users of these specific transit-related Android apps, which are used for public transportation information and routing in Austria and potentially neighboring regions. The improper export could allow malicious local apps to interfere with or extract sensitive transit data or user information stored or processed by these apps.

For European organizations, particularly those involved in public transportation, mobility services, or urban planning that rely on the Verkehrsauskunft Österreich SmartRide app or its related apps, this vulnerability poses a moderate risk. Exploitation could lead to unauthorized access to sensitive user data or manipulation of transit information, potentially disrupting service reliability or user trust. While the attack requires local device access, the widespread use of these apps in Austria and possibly adjacent countries means that compromised devices could be leveraged for targeted attacks or data harvesting. Organizations managing fleets, public transit infrastructure, or customer-facing mobility services could face reputational damage or operational disruptions if attackers exploit this flaw. Additionally, privacy regulations such as GDPR impose strict requirements on protecting user data, so any data leakage resulting from this vulnerability could lead to compliance issues and fines. The limited scope and local attack vector reduce the likelihood of large-scale remote exploitation, but insider threats or malware on user devices could still leverage this vulnerability.

The primary mitigation is to upgrade all affected applications to version 12.1.2(259) or later, which addresses the improper export of components in the AndroidManifest.xml. Organizations should enforce app update policies to ensure users promptly install the patched version. Additionally, implement mobile device management (MDM) solutions to restrict installation of unauthorized apps that could exploit local vulnerabilities. Conduct regular security audits of app permissions and exported components to detect misconfigurations. Educate users on the risks of installing untrusted local applications and the importance of device security hygiene. For organizations distributing these apps internally or customizing them, perform thorough manifest reviews and penetration testing focused on component exposure. Monitoring device logs for suspicious inter-app communication attempts can help detect exploitation attempts. Finally, consider implementing runtime application self-protection (RASP) or enhanced sandboxing to limit the impact of local attacks on app components.