CVE-2025-68712
Authentication Bypass in SpSoft AppLock for Android
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| spsoft | applock | 7.9.40 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
SpSoft AppLock version 7.9.40 for Android has a security flaw that allows a local attacker with physical access to bypass the app's fingerprint or PIN authentication.
Although the app uses Android's biometric mechanisms, it relies on a custom overlay for the lock, which does not consistently enforce authentication.
By exploiting insecure navigation through exposed routes, such as advertisement or browser intents, an attacker can navigate through cascading interface flows to exit the lock screen without re-authenticating.
This allows the attacker to gain control of the app and access protected applications like Chrome, leading to information disclosure and privilege escalation.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with physical access to your device to bypass the fingerprint or PIN lock of SpSoft AppLock.
As a result, the attacker can access apps that you intended to protect, such as web browsers, potentially exposing sensitive information.
This leads to information disclosure and privilege escalation, meaning unauthorized users can gain higher access privileges than intended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in SpSoft AppLock allows a local attacker with physical access to bypass fingerprint or PIN authentication, leading to unauthorized access to protected apps and potential information disclosure and privilege escalation.
Such unauthorized access and information disclosure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.
However, the provided information does not explicitly discuss the impact on compliance with these standards or any regulatory consequences.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves bypassing fingerprint or PIN authentication in the SpSoft AppLock app by exploiting insecure navigation through exposed interface routes triggered by advertisement or browser intents. Detection involves verifying if the app allows exiting the lock interface without re-authentication after such navigation.
Since the vulnerability requires physical access and interaction with the app's interface flows, network-based detection is unlikely to be effective.
To detect the vulnerability on the device, you can attempt to reproduce the attack by triggering advertisement or browser intents while the app is locked and observe if the lock screen is bypassed without requiring re-authentication.
There are no specific commands provided in the available resources to detect this vulnerability automatically.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting physical access to devices running the vulnerable version (7.9.40) of SpSoft AppLock.
Avoid interacting with advertisements or browser intents while the app is locked, as these can be exploited to bypass authentication.
Consider uninstalling or disabling the vulnerable app until a patched version is released.
Monitor for updates from the developer that address this authentication bypass vulnerability and apply them promptly.