CVE-2025-9672 is a security vulnerability identified in the Rejseplanen Android application, specifically affecting versions 8.2.0 through 8.2.2. The vulnerability arises from improper exportation of Android application components declared in the AndroidManifest.xml file of the app's package de.hafas.android.rejseplanen. Improper export means that certain components such as activities, services, or broadcast receivers are made accessible to other apps or processes on the device without adequate access controls. This can allow a local attacker—someone with physical or logical access to the device—to interact with these components in unintended ways. The vulnerability does not require user interaction but does require local access and low privileges, making exploitation somewhat constrained but still feasible in scenarios where an attacker has device access. The CVSS 4.0 vector indicates low attack complexity, no user interaction, and low impact on confidentiality, integrity, and availability, resulting in a medium severity score of 4.8. The vendor was notified but has not responded or issued a patch, and no known exploits have been observed in the wild yet. The vulnerability could allow an attacker to manipulate app behavior, potentially leading to unauthorized data access or privilege escalation within the app context, depending on which components are exposed and their functions. However, the exact components and their functions remain unspecified in the disclosure.

For European organizations, especially those relying on the Rejseplanen app for public transportation planning and related services, this vulnerability poses a moderate risk. Since the app is widely used in Denmark and potentially other Scandinavian countries, organizations with employees or customers using the app on corporate or personal devices could face risks of local device compromise or data leakage. The improper export of components could be leveraged by malicious local actors or malware to gain unauthorized access to app functions or data, potentially exposing sensitive travel information or enabling further attacks on the device. Although the attack requires local access and low privileges, the lack of vendor response and patch availability increases the window of exposure. Public transportation authorities, enterprises with mobile workforce mobility, and users in critical infrastructure sectors could be impacted if attackers exploit this vulnerability to gain footholds on devices used for operational purposes.

Given the absence of an official patch, European organizations should implement several practical mitigations: 1) Restrict physical and logical access to devices running the Rejseplanen app by enforcing strong device authentication and mobile device management (MDM) policies. 2) Monitor and restrict installation of potentially malicious apps that could exploit exported components locally. 3) Encourage users to update the app promptly once a vendor patch is released. 4) Employ application sandboxing and runtime protection tools that can detect or block unauthorized inter-process communications targeting exported components. 5) Conduct internal audits of devices for signs of exploitation or suspicious activity related to the app. 6) Consider temporarily limiting the use of the vulnerable app version on corporate devices until a fix is available. 7) Engage with the vendor or community to push for a timely patch and share threat intelligence regarding this vulnerability.