Vulnerability Details : CVE-2021-41849
Potential exploit
An issue was discovered in Luna Simo PPR1.180610.011/202001031830. It sends the following Personally Identifiable Information (PII) in plaintext using HTTP to servers located in China: user's list of installed apps and device International Mobile Equipment Identity (IMEI). This PII is transmitted to log.skyroam.com.cn using HTTP, independent of whether the user uses the Simo software.
Products affected by CVE-2021-41849
- cpe:2.3:o:bluproducts:g90_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:bluproducts:g9_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:wikomobile:tommy_3_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:wikomobile:tommy_3_plus_firmware:-:*:*:*:*:*:*:*
- cpe:2.3:o:luna:simo_firmware:-:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2021-41849
0.06%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 26 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2021-41849
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST | |
5.5
|
MEDIUM | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
1.8
|
3.6
|
NIST |
CWE ids for CVE-2021-41849
-
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.Assigned by: nvd@nist.gov (Primary)
References for CVE-2021-41849
-
https://simowireless.com/
SIMO - Mobile Internet | Software-as-a-Service | United StatesVendor Advisory
-
https://www.kryptowire.com/android-firmware-2022/
Page Not Found | KryptowireBroken Link
-
https://athack.com/session-details/401
@Hack | Infosec on the Edge | 28 - 30 November 2021Third Party Advisory
-
https://www.kryptowire.com/blog/vsim-vulnerability-within-simo-android-phones-exposed/
Virtual SIM (vSIM) Vulnerability Within Simo Android Phones ExposedExploit;Third Party Advisory
Jump to