CVE-2021-25266 LOW

CVE-2021-25266

Vendor Sophos
Product Intercept X for Mobile (Android)
Published April 27, 2022
Last update August 3, 2024

CVSS base score

3.9/10
Attack vector Physical
Attack complexity Low
Privileges required High
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:P/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

Key dates

02Disclosure timeline

April 27, 2022 CVE published
August 3, 2024 Record updated