Security Bulletin

Summary
  • Security CVES
  • High CVE-2025-31713
  • Medium CVE-2025-31714
  • Critical CVE-2025-31715
Minutia
  • CVE ID CVE-2025-31715
  • Title Improper Neutralization of Special Elements used in a Command ('Command Injection') in vowifi service
  • Description

    In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-77 lmproper Neutralization of Special Elements used in a Command ('Command lnjection')
  • Access Vector Network
  • CVSS Rating Critical
  • CVSS Score 9.8
  • CVSS String CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected Chipsets*

    SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152

  • Affected Software Versions

    Mocor5/Andorid8.1/Andorid9

  • CVE ID CVE-2025-31714
  • Title Improper Input Validation in Developer Tools
  • Description

    In Developer Tools, there is a possible missing verification incorrect input. This could lead to local escalation of privilege with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-20 Improper Input Validation
  • Access Vector Physical
  • CVSS Rating Medium
  • CVSS Score 6.8
  • CVSS String CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected Chipsets*

    SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152

  • Affected Software Versions

    Mocor5/Andorid8.1/Andorid9

  • CVE ID CVE-2025-31713
  • Title Improper Neutralization of Special Elements used in a Command ('Command Injection') in engineer mode service
  • Description

    In engineer mode service, there is a possible command injection due to improper input validation. This could lead to local escalation of privilege with no additional execution privileges needed.

  • Technology Area Android
  • Vulnerability Type CWE-77 lmproper Neutralization of Special Elements used in a Command ('Command lnjection')
  • Access Vector Local
  • CVSS Rating High
  • CVSS Score 8.4
  • CVSS String CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Affected Chipsets*

    SL8521E/SL8521ET/ SL8541E/UIS8141E/UWS6137/UWS6137E/UWS6151(E)/UWS6152

  • Affected Software Versions

    Mocor5/Andorid8.1

*The list of affected chipsets may not be complete. For latest information, device OEMs can contact directly at https://unisupport.unisoc.com

Vulnerability type definition
  • Abbreviation Interpretation
  • RCE Remote Code Execution
  • EoP Elevation of Privilege
  • ID Information Disclosure
  • DoS Denial of Service
  • N/A Classification not available
Version
  • Version Date Description
  • 1.0 2025-07-31