CVE-2017-5623

MEDIUM

Oneplus Oxygenos < 4.0.3 - Improper Privilege Management

Title source: rule

Description

An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device by issuing the 'fastboot oem boot_mode {rf/wlan/ftm/normal} command' in contradiction to the threat model of Android where the bootloader MUST NOT allow any security-sensitive operation to be run unless the bootloader is unlocked.

References (2)

[Exploit, Technical Description, Third Party Advisory] https://alephsecurity.com/vulns/aleph-2017005

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/97048

Scores

CVSS v3 6.6

EPSS 0.0005

EPSS Percentile 15.0%

Attack Vector PHYSICAL

CVSS:3.0/AV:P/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Classification

CWE

CWE-269

Status published

Affected Products (2)

oneplus/oxygenos < 4.0.3

n/a/n/a

Timeline

Published Mar 19, 2017

Tracked Since Feb 18, 2026