CVE-2026-3668 identifies an improper access control vulnerability in the Freedom Factory dGEN1 product, version 20260221 and earlier. The flaw resides in the AndroidEthereum function within the org.ethosmobile.webpwaemul component. Improper access control means that the function does not adequately restrict access to certain resources or operations, potentially allowing unauthorized users to perform actions they should not be permitted to. The vulnerability can be exploited remotely, but the attack requires high complexity and user interaction, making exploitation difficult. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), user interaction required (UI:P), and low confidentiality impact (VC:L) with no impact on integrity or availability. Although a public exploit is available, there are no reports of active exploitation in the wild. The vendor was notified early but has not issued a patch or response, leaving users exposed. The vulnerability's low CVSS score reflects the limited impact and difficulty of exploitation, but it still poses a risk especially if combined with other vulnerabilities or social engineering. The affected product appears to be a specialized mobile or Ethereum-related application component, which may limit the scope of affected users but could be critical for those relying on it for blockchain or mobile Ethereum interactions.

The primary impact of this vulnerability is unauthorized access due to improper access controls, potentially allowing attackers to perform restricted operations remotely. However, the low confidentiality impact and lack of integrity or availability effects limit the severity. The high attack complexity and requirement for user interaction reduce the likelihood of successful exploitation. Organizations using Freedom Factory dGEN1 in environments involving Ethereum or blockchain-related mobile applications could face risks of unauthorized actions or data exposure within the affected component. The absence of vendor response and patches prolongs exposure, increasing risk over time. While no known active exploitation exists, the availability of a public exploit means attackers could attempt targeted attacks, especially against high-value targets using this product. Overall, the impact is low but non-negligible for affected users, particularly in sectors relying on secure Ethereum transactions or mobile blockchain applications.

Given the lack of vendor patches, organizations should implement compensating controls. These include restricting network access to the affected application or component, especially from untrusted sources, to reduce remote exploitation risk. Employ strict user education to minimize risky interactions that could trigger the vulnerability. Monitor application logs and network traffic for unusual access patterns related to the AndroidEthereum function. If possible, isolate the affected component within a sandbox or container to limit potential damage. Regularly check for vendor updates or community patches and apply them promptly once available. Consider alternative products or versions without this vulnerability for critical use cases. Conduct thorough security assessments of blockchain-related mobile applications to identify similar weaknesses. Finally, maintain up-to-date endpoint protection and intrusion detection systems to detect exploitation attempts.