CVE-2025-55443
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| telpo | telpo_mdm | From 1.4.6 (inc) to 1.4.9 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-312 | The product stores sensitive information in cleartext within a resource that might be accessible to another control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Telpo MDM versions 1.4.6 through 1.4.9 for Android involves sensitive administrator credentials and MQTT server connection details being stored in plaintext within log files on the device's external storage. An attacker who gains access to these log files can use the credentials to authenticate to the MDM web platform and perform administrative actions such as device shutdown, factory reset, or software installation. Additionally, the attacker can connect to the MQTT server to intercept or publish device data.
How can this vulnerability impact me? :
The vulnerability can allow an attacker with access to the device's external storage to gain administrative control over the MDM platform, enabling them to perform disruptive actions like shutting down devices, resetting them to factory settings, or installing unauthorized software. Furthermore, the attacker can intercept or manipulate device data by connecting to the MQTT server, potentially compromising device integrity and data confidentiality.