CVE-2022-0732

HIGH EXPLOITED

1byte copy9 - Unauthenticated Insecure Direct Object Reference

Title source: llm

Exploitation Summary

CVE-2022-0732 has been observed exploited in the wild (reported by VulnCheck KEV).

Description

The backend infrastructure shared by multiple mobile device monitoring services does not adequately authenticate or authorize API requests, creating an IDOR (Insecure Direct Object Reference) vulnerability.

References (4)

Core 4

Core References

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

https://www.kb.cert.org/vuls/id/229438

Not Applicable x_refsource_misc

https://cwe.mitre.org/data/definitions/284.html

Press/Media Coverage, Third Party Advisory x_refsource_confirm

https://techcrunch.com/2022/02/22/stalkerware-network-spilling-data/

Third Party Advisory, US Government Resource third-party-advisory x_refsource_cert-vn

https://kb.cert.org/vuls/id/229438

Scores

CVSS v3 7.5

EPSS 0.0247

EPSS Percentile 82.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

VulnCheck KEV 2023-07-27

CWE

CWE-284 CWE-639

Status published

Products (9)

1byte/copy9

1byte/exactspy

1byte/fonetracker

1byte/guestspy

1byte/ispyoo

1byte/mxspy

1byte/secondclone

1byte/the_truth_spy

1byte/thespyapp

Published Feb 24, 2022

Tracked Since Feb 18, 2026