CVE-2025-1298

Critical

Published: 14 February 2025

Published

14 February 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0018 39.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1298 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tecno (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Remediates the specific logic vulnerability in the Carlcare mobile application through timely patching, directly preventing remote account takeover exploits.

AC-19 Access Control for Mobile Devices partial match

preventdetect

Establishes usage restrictions, monitoring, and vulnerability scanning for mobile devices and apps like Carlcare to mitigate account takeover risks from logic flaws.

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Limits actions allowable without identification or authentication, countering the no-privilege network exploitation vector that enables account takeover in this CVE.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1078.004 Cloud Accounts Stealth

Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

attack.mitre.org →

Why these techniques?

Remote unauthenticated logic flaw (CWE-290) directly enables network-based exploitation of the app's authentication process for full account takeover, mapping to public-facing app exploitation and cloud/valid account abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Logic vulnerability in the mobile application (com.transsion.carlcare) may lead to the risk of account takeover.

Deeper analysisAI

CVE-2025-1298 is a logic vulnerability, classified under CWE-290, in the mobile application com.transsion.carlcare that may lead to the risk of account takeover. The vulnerability affects the Carlcare app, associated with Transsion devices such as those from TECNO, and carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It was published on 2025-02-14T08:15:30.877.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially resulting in full account takeover for affected users.

Security practitioners should consult the vendor advisories for mitigation guidance and patch information, available at https://security.tecno.com/SRC/blogdetail/383?lang=en_US and https://security.tecno.com/SRC/securityUpdates.