CRITICAL✓ PATCH🇵🇱 Wersja polska

CVE-2024-3701

CVSS 9.8v3.1pub. 2024-04-15upd. 2025-06-17

The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services.

🤖 AI Analysis
How it works

The com.transsion.kolun.aiservice component, which is part of the Tecno HiOS system software, does not implement an authentication mechanism (CWE-306) or identity verification (CWE-287) before handling requests. This means that any application or external entity capable of communicating with this component can invoke it without any permissions. An attacker can thus interact with system services and perform malicious operations that would normally require appropriate privileges.

Impact

An attacker without any privileges and without user interaction can remotely execute malicious actions on device system services, potentially gaining full access to sensitive data, modifying system state, or causing its destabilization (high confidentiality, integrity, and availability according to CVSS vector).

Mitigation & patch

Security patches available from the manufacturer should be applied according to references — security updates are published by Tecno Security Response Center at https://security.tecno.com/SRC/securityUpdates?type=SA. It is recommended to install available system software updates on Tecno devices as soon as possible.

Who is affected

Devices running Tecno HiOS containing the com.transsion.kolun.aiservice system application component; specific versions indicated in manufacturer references.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Tecno Hios

    OS
    Tecno
    13.0.0
🟢
PATCH AVAILABLE
Vendor update available. Deploy in standard maintenance cycle.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2025-15385CRITICAL9.8PL ✓ten sam vendor

Pominięcie uwierzytelnienia w aplikacji Tecno Boomplay (Android)

CVE-2025-3698HIGH7.5ten sam vendor

Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information l...

CVE-2025-2190HIGH8.1ten sam vendor

The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to c...

CVE-2019-15417HIGH7.8ten sam vendor

The Tecno Spark Pro Android device with a build fingerprint of TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N...

CVE-2025-9056MEDIUM5.3ten sam vendor

Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthori...