CVE-2026-3667 is an authorization vulnerability identified in the Freedom Factory dGEN1 product, specifically affecting the FakeAppService function within the org.ethosmobile.ethoslauncher component. This vulnerability arises from improper authorization checks, allowing a local attacker with limited privileges (PR:L) to bypass intended access controls. The attack does not require user interaction (UI:N) or elevated privileges beyond limited local access, and it can be executed with low attack complexity (AC:L). The vulnerability impacts confidentiality, integrity, and availability to a limited degree (VC:L, VI:L, VA:L). The flaw is present in versions up to 20260221, and no patches or vendor responses have been issued despite early disclosure. The exploit has been publicly released, increasing the risk of exploitation by local threat actors. The vulnerability does not require network access (AV:L), limiting its exploitation to local users or processes. The absence of vendor mitigation and the public availability of exploit code heighten the urgency for affected organizations to implement compensating controls. The vulnerability’s CVSS 4.0 vector is AV:L/AC:L/PR:L/UI:N/VC:L/VI:L/VA:L, resulting in a score of 4.8, categorized as medium severity. This vulnerability could be leveraged to gain unauthorized access to sensitive functions or data within the affected component, potentially undermining system integrity or confidentiality in environments where local access is attainable.

The primary impact of CVE-2026-3667 is unauthorized local access to functionality or data protected by the FakeAppService authorization mechanism in Freedom Factory dGEN1. While the vulnerability requires local access with limited privileges, exploitation could allow attackers to escalate their capabilities within the system, potentially leading to unauthorized data access, modification, or disruption of service. This could affect organizations relying on dGEN1 for critical mobile or embedded device operations, especially where local user accounts are shared or insufficiently segregated. The public release of exploit code increases the risk of opportunistic attacks by insiders or malware with local execution capabilities. Although the vulnerability does not directly enable remote exploitation, environments with weak endpoint security or shared device usage are at higher risk. The lack of vendor response and patches prolongs exposure, increasing the window for exploitation. Overall, the impact is medium, with potential confidentiality, integrity, and availability degradation limited to local contexts but possibly significant in sensitive deployments.

Given the absence of official patches or vendor guidance, organizations should implement the following specific mitigations: 1) Enforce strict local access controls and user account segregation to limit the number of users with local access to devices running Freedom Factory dGEN1. 2) Employ application whitelisting and endpoint protection to detect and prevent unauthorized execution of exploit code targeting FakeAppService. 3) Monitor local system logs and behavior for unusual access patterns or privilege escalations related to the org.ethosmobile.ethoslauncher component. 4) Restrict physical access to devices to trusted personnel only, minimizing the risk of local exploitation. 5) Consider deploying host-based intrusion detection systems (HIDS) that can alert on suspicious local activity. 6) If feasible, isolate affected devices from sensitive networks until a vendor patch is available. 7) Engage with Freedom Factory or community forums for updates or unofficial patches. 8) Conduct regular security audits focusing on local privilege management and authorization enforcement within the affected environment.