CVE-2025-5346
MEDIUMBluebird kr.co.bluebird.android.bbsettings < 1.3.3 - Path Traversal & Arbitrary File Write
Title source: llmDescription
Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver "kr.co.bluebird.android.bbsettings.BootReceiver". A local attacker can call the receiver to overwrite file containing ".json" keyword with default barcode config file. It is possible to overwrite file in any location due to lack of protection against path traversal in name of the file. This issue affects all versions before 1.3.3.
References (1)
Core 1
Core References
Various Sources third-party-advisory
https://cert.pl/en/posts/2025/07CVE-2025-5344
Scores
CVSS v4
5.1
EPSS
0.0013
EPSS Percentile
3.2%
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-926
Status
published
Products (1)
Bluebird/kr.co.bluebird.android.bbsettings
< 1.3.3
Published
Jul 17, 2025
Tracked Since
Feb 18, 2026