CVE-2025-9671 is a medium-severity vulnerability affecting the UAB Paytend Android application versions 2.1.0 through 2.1.9. The vulnerability arises from improper export of Android application components declared in the AndroidManifest.xml file, specifically related to the component com.passport.cash. Improper export means that certain app components (such as activities, services, or broadcast receivers) are made accessible to other apps or processes without adequate access controls. This can allow a local attacker—someone with physical or local access to the device—to manipulate these components, potentially leading to unauthorized access or actions within the app context. The attack vector requires local access and does not require user interaction, but does require at least limited privileges (PR:L). The CVSS 4.0 vector indicates low attack complexity and partial impact on confidentiality, integrity, and availability. The vendor was contacted but did not respond, and no patch links are currently available. Although the exploit code has been publicly released, there are no known exploits in the wild yet. This vulnerability is significant because financial or payment apps like Paytend often handle sensitive user data and transactions, so improper component exposure could lead to data leakage or unauthorized transaction manipulation if exploited.

For European organizations, especially those relying on UAB Paytend for payment processing or financial transactions, this vulnerability could lead to unauthorized local access to sensitive financial information or manipulation of app behavior. While remote exploitation is not possible, insider threats or attackers with physical access to devices could leverage this flaw to compromise confidentiality and integrity of payment data. This could result in financial fraud, data breaches, or loss of customer trust. Organizations in sectors such as banking, retail, or any service using Paytend for payments should be particularly cautious. The lack of vendor response and absence of patches increases the risk exposure. Additionally, the vulnerability could be exploited in corporate environments where employees use Paytend on company-issued Android devices, potentially leading to lateral movement or privilege escalation within internal networks.

Given the lack of an official patch, European organizations should implement several practical mitigations: 1) Restrict physical and local access to devices running vulnerable versions of Paytend through strong device management policies and endpoint security controls. 2) Employ Mobile Device Management (MDM) solutions to enforce app usage policies, restrict installation of unauthorized apps, and monitor for suspicious local activity. 3) Encourage users to update to newer versions of Paytend if and when patches become available; meanwhile, consider alternative payment apps with better security posture. 4) Conduct regular security audits and penetration testing focusing on local privilege escalation and app component exposure. 5) Use Android security features such as app sandboxing, permission management, and disabling debugging options to reduce attack surface. 6) Educate users about risks of local attacks and the importance of device security. 7) Monitor for any emerging exploit activity related to this CVE and be prepared to respond swiftly.