CVE-2025-68712
Deferred Deferred - Pending Action
Authentication Bypass in SpSoft AppLock for Android

Publication date: 2026-05-27

Last updated on: 2026-05-28

Assigner: MITRE

Description
SpSoft AppLock (com.sp.protector.free) 7.9.40 for Android allows a local attacker with physical access to bypass fingerprint or PIN authentication. Although the app integrates Android's biometric mechanisms, the lock is implemented with a custom overlay that fails to consistently enforce authentication. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can exit the lock interface without re-authentication and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-27
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68712
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
spsoft applock 7.9.40
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

SpSoft AppLock version 7.9.40 for Android has a security flaw that allows a local attacker with physical access to bypass the app's fingerprint or PIN authentication.

Although the app uses Android's biometric mechanisms, it relies on a custom overlay for the lock, which does not consistently enforce authentication.

By exploiting insecure navigation through exposed routes, such as advertisement or browser intents, an attacker can navigate through cascading interface flows to exit the lock screen without re-authenticating.

This allows the attacker to gain control of the app and access protected applications like Chrome, leading to information disclosure and privilege escalation.

Impact Analysis

This vulnerability can allow an attacker with physical access to your device to bypass the fingerprint or PIN lock of SpSoft AppLock.

As a result, the attacker can access apps that you intended to protect, such as web browsers, potentially exposing sensitive information.

This leads to information disclosure and privilege escalation, meaning unauthorized users can gain higher access privileges than intended.

Compliance Impact

The vulnerability in SpSoft AppLock allows a local attacker with physical access to bypass fingerprint or PIN authentication, leading to unauthorized access to protected apps and potential information disclosure and privilege escalation.

Such unauthorized access and information disclosure could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls on access to personal and sensitive data.

However, the provided information does not explicitly discuss the impact on compliance with these standards or any regulatory consequences.

Detection Guidance

This vulnerability involves bypassing fingerprint or PIN authentication in the SpSoft AppLock app by exploiting insecure navigation through exposed interface routes triggered by advertisement or browser intents. Detection involves verifying if the app allows exiting the lock interface without re-authentication after such navigation.

Since the vulnerability requires physical access and interaction with the app's interface flows, network-based detection is unlikely to be effective.

To detect the vulnerability on the device, you can attempt to reproduce the attack by triggering advertisement or browser intents while the app is locked and observe if the lock screen is bypassed without requiring re-authentication.

There are no specific commands provided in the available resources to detect this vulnerability automatically.

Mitigation Strategies

Immediate mitigation steps include restricting physical access to devices running the vulnerable version (7.9.40) of SpSoft AppLock.

Avoid interacting with advertisements or browser intents while the app is locked, as these can be exploited to bypass authentication.

Consider uninstalling or disabling the vulnerable app until a patched version is released.

Monitor for updates from the developer that address this authentication bypass vulnerability and apply them promptly.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68712. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart