CVE-2025-9675 is a medium-severity vulnerability affecting the Voice Changer App versions up to 1.1.0. The root cause lies in improper exportation of Android application components declared within the AndroidManifest.xml file, specifically related to the component com.tuyangkeji.changevoice. Improper export means that components intended to be private or restricted are inadvertently made accessible to other applications or processes on the same device. This misconfiguration can allow a local attacker—someone with access to the device—to manipulate or interact with these components in unintended ways. The vulnerability does not require user interaction and can be exploited with low complexity, but it requires at least limited privileges (PR:L), meaning the attacker must have some level of access to the device, such as a non-root user. The CVSS 4.0 vector indicates low impact on confidentiality, integrity, and availability, but the exploitability is relatively straightforward given the local attack vector and lack of required user interaction. The vulnerability has been publicly disclosed but no known exploits are currently reported in the wild. The improper export of components can lead to unauthorized access to app functionality or data, potentially enabling privilege escalation, data leakage, or unauthorized command execution within the app context. Since the app processes audio and voice data, sensitive user information or device capabilities could be exposed or manipulated. The lack of a patch link suggests that a fix may not yet be available, emphasizing the need for mitigation through configuration review or app updates once released.

For European organizations, the impact depends largely on the usage of the Voice Changer App within their environment. While primarily a consumer-focused application, if used on corporate or BYOD devices, this vulnerability could be leveraged by malicious insiders or malware with local access to escalate privileges or access sensitive voice data. This could lead to privacy violations, unauthorized data access, or lateral movement within a device or network. The local attack vector limits remote exploitation, but in environments where devices are shared or less controlled, the risk increases. Additionally, organizations handling sensitive voice communications or audio data could face confidentiality breaches. The medium severity suggests moderate risk, but the potential for exploitation in environments with lax endpoint security or insider threats should not be underestimated. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as public disclosure may prompt attackers to develop exploits.

European organizations should take the following specific actions: 1) Identify and inventory devices with the Voice Changer App installed, particularly versions 1.0 and 1.1.0. 2) Restrict local access to devices to trusted users only, enforcing strong endpoint security policies to prevent unauthorized local access. 3) Monitor for unusual inter-process communication or app behavior that could indicate exploitation attempts. 4) Engage with the app vendor or monitor official channels for patches or updates addressing this vulnerability and prioritize timely application of fixes once available. 5) If feasible, remove or disable the Voice Changer App on corporate or BYOD devices until a patch is applied. 6) Educate users about the risks of installing untrusted apps and the importance of device security. 7) Review AndroidManifest.xml configurations if managing custom or internally developed apps to ensure components are not improperly exported. These steps go beyond generic advice by focusing on device inventory, access control, behavioral monitoring, and vendor engagement.