CVE-2025-9672 is a medium-severity security vulnerability identified in the Rejseplanen Android application versions up to 8.2.2. The vulnerability arises from improper exportation of Android application components declared in the AndroidManifest.xml file within the component de.hafas.android.rejseplanen. Specifically, certain components (such as activities, services, broadcast receivers, or content providers) are incorrectly marked as exported, allowing other local applications or processes on the same device to interact with them without proper authorization. This misconfiguration can lead to unauthorized access or manipulation of app functionality or data. Exploitation requires local access to the device, meaning an attacker must have the ability to run code or apps on the same device as the vulnerable app. No user interaction or elevated privileges beyond local access are necessary, but the attacker must have at least limited privileges (PR:L). The vulnerability does not require network access or system-level privileges, limiting its attack surface. The CVSS 4.0 base score of 4.8 reflects a medium severity, considering the limited attack vector (local), low complexity, and partial impact on confidentiality, integrity, and availability. The vendor was notified but did not respond, and no patches or mitigations have been published yet. No known exploits are currently in the wild, but public disclosure of the exploit details increases the risk of future exploitation. The vulnerability could allow local attackers to leverage the improperly exported components to perform unauthorized actions within the app context, potentially leading to data leakage, unauthorized operations, or privilege escalation within the app's scope.

For European organizations, especially those relying on the Rejseplanen app for public transportation planning and related services, this vulnerability could expose sensitive user data or disrupt service integrity if exploited. Although the attack requires local access, the widespread use of the app in Denmark and neighboring countries means that compromised or malicious apps installed on the same device could exploit this flaw. This could lead to unauthorized access to user travel information, personal data, or manipulation of app behavior, undermining user trust and potentially violating data protection regulations such as GDPR. Organizations that integrate or rely on Rejseplanen for employee travel or public transport coordination may face operational risks or reputational damage if user data is compromised. However, the limited attack vector and absence of remote exploitation reduce the likelihood of large-scale attacks. The lack of vendor response and patches increases the urgency for organizations to implement compensating controls to mitigate risk.

Given the absence of official patches, European organizations and users should take specific steps to mitigate this vulnerability: 1) Restrict installation of untrusted or unknown applications on devices running Rejseplanen to reduce the risk of local exploitation. 2) Employ mobile device management (MDM) solutions to enforce application whitelisting and control app permissions, limiting the ability of malicious apps to interact with Rejseplanen components. 3) Monitor device activity for unusual inter-app communication or behavior indicative of exploitation attempts. 4) Educate users about the risks of installing apps from unverified sources and the importance of device security hygiene. 5) Where possible, isolate or sandbox the Rejseplanen app environment to prevent unauthorized component access. 6) Regularly check for vendor updates or patches and apply them promptly once available. 7) Consider alternative transportation apps with better security postures if risk tolerance is low. These measures go beyond generic advice by focusing on controlling local app interactions and device-level security to compensate for the vulnerability's local attack vector.