Cyber Resilience

CVE-2019-25605

HighPublic PoC

Published: 22 March 2026

Published
22 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0027 18.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25605 is a high-severity Improper Authorization of Index Containing Sensitive Information (CWE-612) vulnerability in Google (inferred from references). Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 18.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AU-3 (Content of Audit Records) and AU-9 (Protection of Audit Information).

Deeper analysis

EquityPandit 1.0, an Android application, suffers from CVE-2019-25605, an insecure logging vulnerability classified under CWE-612. The issue involves the app logging plaintext user passwords to developer console logs during the forgot password function, making them accessible via the Android Debug Bridge (ADB). This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no requirements for privileges or user interaction.

Any remote attacker can exploit this vulnerability by using the adb logcat command to capture the exposed logs and extract sensitive user credentials, such as plaintext passwords. Successful exploitation reveals account credentials for affected users, potentially enabling unauthorized access to user accounts without needing physical device access, authentication, or user involvement, as reflected in the CVSS vector.

Advisories and related resources, including the Vulncheck advisory on EquityPandit insecure logging, an Exploit-DB proof-of-concept (exploit 46933), and the app's Google Play Store listing, document the issue but do not specify patches or mitigations in the available details. Security practitioners should review these references for reproduction steps and verify if updated app versions address the logging flaw.

EU & UK References

Vulnerability details

EquityPandit 1.0 contains an insecure logging vulnerability that allows attackers to capture sensitive user credentials by accessing developer console logs via Android Debug Bridge. Attackers can use adb logcat to extract plaintext passwords logged during the forgot password function, exposing…

more

user account credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access
Adversaries may search compromised systems to find and obtain insecurely stored credentials.
Why these techniques?

Insecure plaintext password logging enables credential access via log retrieval (T1552 Unsecured Credentials).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-3653Shared CWE-612
CVE-2025-3654Shared CWE-612
CVE-2025-3660Shared CWE-612

Affected Assets

Google
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AU-3 requires audit records to contain only necessary information without exposing sensitive data like plaintext passwords, directly preventing their logging during functions such as forgot password.

prevent

AU-9 enforces protection of audit information from unauthorized access and modification, mitigating extraction of logged credentials via ADB logcat.

detect

AU-13 provides monitoring of destinations for unauthorized information disclosure, enabling detection of sensitive credentials in console logs.

References