Executive Summary

CVE-2026-26208 is a high-severity Remote Code Execution vulnerability in ADB Explorer versions prior to Beta 0.9.26020 caused by insecure deserialization.

The application deserializes its settings file (App.txt) using Newtonsoft.Json with the setting TypeNameHandling.Objects enabled, which allows arbitrary .NET types to be instantiated during deserialization.

An attacker can craft a malicious JSON file containing a gadget chain (such as System.Windows.Data.ObjectDataProvider) that executes arbitrary code when the application launches and saves its settings.

This happens because the application loads and deserializes the settings file on startup without sufficient validation, enabling execution of attacker-supplied code.

The vulnerability is fixed in Beta 0.9.26020 by disabling TypeNameHandling during deserialization.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary code on the system with the privileges of the user running ADB Explorer.

An attacker can exploit this by tricking a user into running the application from a directory containing a maliciously crafted App.txt settings file, for example, inside a downloaded archive.

Successful exploitation can lead to full compromise of confidentiality, integrity, and availability of the affected system.

The CVSS v3.1 base score is 7.8 (High), indicating significant impact including high confidentiality, integrity, and availability loss.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if the ADB Explorer application is running a version prior to Beta 0.9.26020 and if it is deserializing the App.txt settings file using Newtonsoft.Json with TypeNameHandling set to Objects.'}, {'type': 'paragraph', 'content': 'A practical detection method involves inspecting the presence and contents of the App.txt settings file used by ADB Explorer. If the file contains suspicious JSON payloads with $type fields referencing .NET types such as System.Windows.Data.ObjectDataProvider or System.Diagnostics.Process, it may indicate exploitation attempts.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or crafted malicious files, you can search for the presence of App.txt files containing the gadget chain payload. For example, on Windows, you might use the following PowerShell command to search for suspicious $type entries in App.txt files within the application directory or user profile:'}, {'type': 'list_item', 'content': "Get-ChildItem -Path 'C:\\Path\\To\\ADBExplorer\\' -Recurse -Filter 'App.txt' | Select-String -Pattern '\\$type'"}, {'type': 'paragraph', 'content': 'Additionally, monitoring process creation events triggered by ADB Explorer or unusual execution of programs like calc.exe when launching or exiting ADB Explorer could indicate exploitation.'}, {'type': 'paragraph', 'content': 'Since the attack requires user interaction and local execution, verifying the version of ADB Explorer installed is critical. You can check the version by running the application or inspecting its executable properties to ensure it is Beta 0.9.26020 or later.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade ADB Explorer to version Beta 0.9.26020 or later, where the vulnerability has been fixed by disabling TypeNameHandling during JSON deserialization.

If upgrading is not immediately possible, avoid running ADB Explorer from directories containing untrusted or suspicious App.txt settings files, as the vulnerability is exploited by supplying a crafted JSON file.

Additionally, restrict user permissions and educate users to avoid opening or running ADB Explorer with settings files from untrusted sources, such as downloaded archives or unknown directories.

From a development or deployment perspective, ensure that JSON deserialization settings do not use TypeNameHandling.Objects or similar configurations that allow deserialization of arbitrary types.

Useful 0 Not Useful 0