CVE-2025-10721
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-19

Last updated on: 2026-04-29

Assigner: VulDB

Description
A vulnerability was determined in Webull Investing & Trading App 11.2.5.63 on Android. This vulnerability affects unknown code of the file AndroidManifest.xml. This manipulation causes improper export of android application components. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-19
Last Modified
2026-04-29
Generated
2026-05-06
AI Q&A
2025-09-19
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10721
EUVD
EUVD-2025-30328
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
ebull_technologies webull_investing_and_trading_app 11.2.5.63
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-926 The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component or access the data it contains.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-10721 is a Task Hijacking vulnerability in the Webull Investing & Trading App version 11.2.5.63 on Android. It occurs because the app improperly exports Android application components in its AndroidManifest.xml file, allowing malicious local applications to hijack tasks and inherit permissions from the vulnerable app. This can be exploited to perform phishing attacks, such as stealing login credentials. The vulnerability affects all Android versions prior to Android 11 and requires local access to the device to be exploited. [1, 2]


How can this vulnerability impact me? :

This vulnerability can impact you by compromising the confidentiality, integrity, and availability of the Webull Investing & Trading App on your device. A malicious local app can hijack tasks and inherit permissions, potentially leading to phishing attacks that steal your login credentials or other sensitive information. The attack is easy to perform and publicly known, increasing the risk of exploitation. Since no vendor mitigations are available, the app remains vulnerable until replaced or patched. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by analyzing the AndroidManifest.xml file of the Webull Investing & Trading App version 11.2.5.63 to identify improperly exported application components. Additionally, Google hacking techniques such as searching for 'inurl:AndroidManifest.xml' can help find vulnerable targets. Since the attack requires local access, inspecting installed apps on the device for this specific version and checking their manifest files for improper exports is recommended. [2]


What immediate steps should I take to mitigate this vulnerability?

No known direct mitigations or countermeasures have been provided by the vendor. The recommended immediate step is to consider replacing the affected product or avoid using the vulnerable version of the Webull Investing & Trading App. Since the vulnerability arises from improper exportation of components in AndroidManifest.xml, modifying the manifest to restrict component exportation would mitigate the issue, but this requires vendor action. Until then, limiting local access to the device and avoiding installation of untrusted apps can reduce risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart