CVE-2025-9673 is a medium-severity vulnerability affecting the Kakao 헤이카카오 Hey Kakao App on Android versions up to 2.17.4. The vulnerability arises from improper export of Android application components defined in the AndroidManifest.xml file, specifically within the component com.kakao.i.connect. Improper export means that components intended to be private or restricted are instead exposed to other applications on the same device. This misconfiguration can allow a local attacker—someone with access to the device—to interact with these components in unintended ways, potentially leading to unauthorized access or manipulation of app functionality or data. The attack vector requires local access and does not require user interaction, but it does require the attacker to have at least limited privileges (PR:L) on the device. The vulnerability has a CVSS 4.0 base score of 4.8, indicating a medium severity level. The exploit is publicly available, increasing the risk of exploitation, although no known exploits in the wild have been reported to date. The vendor, Kakao, was contacted early but did not respond or provide a patch at the time of disclosure. The vulnerability does not affect confidentiality, integrity, or availability to a critical extent but does present a risk of privilege escalation or unauthorized component interaction within the app context. Since the vulnerability is local and requires some privileges, it is less likely to be exploited remotely but remains a concern for devices where local access could be gained, such as shared or compromised devices.

For European organizations, the impact of this vulnerability depends largely on the use of the Kakao 헤이카카오 Hey Kakao App within their environment. While Kakao is a South Korean company and its app is primarily targeted at Korean-speaking users, organizations with employees or customers using this app on Android devices could face risks. The improper export of app components could allow malicious local actors to exploit the app to gain unauthorized access to sensitive information or manipulate app behavior, potentially leading to data leakage or unauthorized actions within the app. This is particularly relevant for organizations with Bring Your Own Device (BYOD) policies or where Android devices are used in environments with multiple users or potential local attackers. The public availability of the exploit code increases the risk of opportunistic attacks. However, since the vulnerability requires local access and some privileges, remote exploitation or large-scale attacks are less likely. The lack of vendor response and patch availability means organizations must rely on mitigation strategies until an official fix is released.

European organizations should implement the following specific mitigation measures: 1) Conduct an inventory to identify Android devices with the Kakao 헤이카카오 Hey Kakao App installed, focusing on versions 2.17.0 through 2.17.4. 2) Restrict local device access by enforcing strong device authentication mechanisms such as PINs, passwords, or biometric locks to prevent unauthorized local access. 3) Limit installation of apps from untrusted sources and monitor for suspicious local activity that could indicate exploitation attempts. 4) Educate users about the risks of local device compromise and encourage prompt reporting of lost or stolen devices. 5) Use Mobile Device Management (MDM) solutions to enforce security policies, including app version control and removal of vulnerable app versions where feasible. 6) Monitor official Kakao channels and security advisories for patches or updates addressing this vulnerability and apply them promptly once available. 7) Consider network segmentation and restricting sensitive operations to devices that do not have this vulnerable app installed or are fully patched. These steps go beyond generic advice by focusing on controlling local access, app version management, and user awareness specific to this vulnerability context.