CVE-2025-10721
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-09-19
EPSS Evaluated
2026-06-14
NVD
CVE-2025-10721
EUVD
EUVD-2025-30328
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ebull_technologies webull_investing_and_trading_app 11.2.5.63
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-926 The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-10721 is a Task Hijacking vulnerability in the Webull Investing & Trading App version 11.2.5.63 on Android. It occurs because the app improperly exports Android application components in its AndroidManifest.xml file, allowing malicious local applications to hijack tasks and inherit permissions from the vulnerable app. This can be exploited to perform phishing attacks, such as stealing login credentials. The vulnerability affects all Android versions prior to Android 11 and requires local access to the device to be exploited. [1, 2]

Impact Analysis

This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the Webull Investing & Trading App on your device. A malicious local app can hijack tasks and inherit permissions, potentially leading to phishing attacks that steal your login credentials or other sensitive information. The attack is easy to perform and publicly known, increasing the risk of exploitation. Since no vendor mitigations are available, the app remains vulnerable until replaced or patched. [1, 2]

Detection Guidance

This vulnerability can be detected by analyzing the AndroidManifest.xml file of the Webull Investing & Trading App version 11.2.5.63 to identify improperly exported application components. Additionally, Google hacking techniques such as searching for 'inurl:AndroidManifest.xml' can help find vulnerable targets. Since the attack requires local access, inspecting installed apps on the device for this specific version and checking their manifest files for improper exports is recommended. [2]

Mitigation Strategies

No known direct mitigations or countermeasures have been provided by the vendor. The recommended immediate step is to consider replacing the affected product or avoid using the vulnerable version of the Webull Investing & Trading App. Since the vulnerability arises from improper exportation of components in AndroidManifest.xml, modifying the manifest to restrict component exportation would mitigate the issue, but this requires vendor action. Until then, limiting local access to the device and avoiding installation of untrusted apps can reduce risk. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-10721. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart