CVE-2025-0590

High

Published: 20 January 2025

Published

20 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0014 34.5th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-0590 is a high-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability in Tecno (inferred from references). Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 34.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-19 (Access Control for Mobile Devices) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-19 Access Control for Mobile Devices good match

prevent

Directly mitigates improper permission settings in mobile applications by establishing usage restrictions, configuration requirements, and access controls for mobile devices.

CM-6 Configuration Settings good match

prevent

Addresses the vulnerability by establishing and documenting secure configuration settings, including proper permission configurations, for the affected mobile application.

AC-6 Least Privilege good match

prevent

Prevents information leakage risk by enforcing the principle of least privilege on permissions granted to the mobile application.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Improper permissions enable remote network-based data access (T1190) directly resulting in unauthorized sensitive data retrieval from the affected application/system (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper permission settings for mobile applications (com.transsion.carlcare) may lead to information leakage risk.

Deeper analysisAI

CVE-2025-0590 involves improper permission settings in the com.transsion.carlcare mobile application, which may lead to an information leakage risk. This vulnerability, published on 2025-01-20, is linked to CWE-732 and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no effects on integrity or availability.

The vulnerability can be exploited by a remote, unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation allows the attacker to access sensitive information stored or handled by the affected application, resulting in unauthorized data disclosure.

Mitigation details are available in advisories from the Tecno Security Response Center, including the specific blog post at https://security.tecno.com/SRC/blogdetail/381?lang=en_US and the security updates page at https://security.tecno.com/SRC/securityUpdates.