关键漏洞信息 CVE-2025-50861 - Lotus Cars Android App Exported Component Access Summary: The Lotus Cars Android application (com.lotus.carsdomestic.intl) version 1.2.8 contains an exported component, PushDeepLinkActivity, that is accessible without authentication or appropriate permission checks. Vulnerability Type: Incorrect Access Control Improper Export of Android Component Attack Vector: Local (on-device malicious apps, or via ADB) Impact: Unauthorized access to internal app activities Potential denial of service or logic abuse Affected Component: PushDeepLinkActivity in AndroidManifest.xml Affected Version: com.lotus.carsdomestic.intl 1.2.8 References: Lotus Cars MITRE CVE Entry Timeline: Discovered: Private research on personal device Reported to vendor: May 2025 CVE Reserved: 2025-50861 CVE-2025-50862 - Lotus Cars Android App Insecure Data Backup Summary: The Lotus Cars Android application (com.lotus.carsdomestic.intl) version 1.2.8 has the allowBackup=true setting enabled in its manifest. Vulnerability Type: Insecure Data Storage Attack Vector: Local (ADB backup on rooted or debug-enabled devices) Impact: Unauthorized exfiltration of sensitive data from the app Affected Component: AndroidManifest.xml (allowBackup=true) Affected Version: com.lotus.carsdomestic.intl 1.2.8 References: Lotus Cars MITRE CVE Entry Timeline: Discovered: Rooted device analysis, no server interaction Reported to vendor: May 2025 CVE Reserved: 2025-50862