Cyber Resilience

CVE-2025-1298

Critical

Published: 14 February 2025

Published
14 February 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0018 39.4th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-1298 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tecno (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-1298 is a logic vulnerability, classified under CWE-290, in the mobile application com.transsion.carlcare that may lead to the risk of account takeover. The vulnerability affects the Carlcare app, associated with Transsion devices such as those from TECNO, and carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It was published on 2025-02-14T08:15:30.877.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially resulting in full account takeover for affected users.

Security practitioners should consult the vendor advisories for mitigation guidance and patch information, available at https://security.tecno.com/SRC/blogdetail/383?lang=en_US and https://security.tecno.com/SRC/securityUpdates.

EU & UK References

Vulnerability details

Logic vulnerability in the mobile application (com.transsion.carlcare) may lead to the risk of account takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.004 Cloud Accounts Stealth
Valid accounts in cloud environments may allow adversaries to perform actions to achieve Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Remote unauthenticated logic flaw (CWE-290) directly enables network-based exploitation of the app's authentication process for full account takeover, mapping to public-facing app exploitation and cloud/valid account abuse.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-55925Shared CWE-290
CVE-2026-0834Shared CWE-290
CVE-2026-33131Shared CWE-290
CVE-2026-24372Shared CWE-290
CVE-2025-27671Shared CWE-290
CVE-2026-24853Shared CWE-290
CVE-2026-30975Shared CWE-290
CVE-2026-31889Shared CWE-290
CVE-2026-40575Shared CWE-290
CVE-2025-11250Shared CWE-290

Affected Assets

Tecno
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediates the specific logic vulnerability in the Carlcare mobile application through timely patching, directly preventing remote account takeover exploits.

preventdetect

Establishes usage restrictions, monitoring, and vulnerability scanning for mobile devices and apps like Carlcare to mitigate account takeover risks from logic flaws.

prevent

Limits actions allowable without identification or authentication, countering the no-privilege network exploitation vector that enables account takeover in this CVE.

References