CVE-2017-5623
MEDIUMOxygenOS < 4.0.3 - Improper Privilege Management via Fastboot Command
Title source: llmDescription
An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT allow any security-sensitive operation to be run unless the bootloader is unlocked.
References (2)
Core 2
Core References
Exploit, Technical Description, Third Party Advisory x_refsource_misc
https://alephsecurity.com/vulns/aleph-2017005
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/97048
Scores
CVSS v3
6.6
EPSS
0.0037
EPSS Percentile
29.3%
Attack Vector
PHYSICAL
CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Details
CWE
CWE-269
Status
published
Products (1)
oneplus/oxygenos
< 4.0.3
Published
Mar 19, 2017
Tracked Since
Feb 18, 2026