CVE-2025-1941 - Vulnerability Details

- Lock screen setting bypass in Firefox Focus for Android

Description

Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.

Published: 2025-03-04

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

In Firefox Focus for Android, a flaw enables bypassing a user opt‑in setting that requires authentication before the app can be used. This removes the intended security barrier, allowing an attacker to access sensitive functionality or data without permission. The weakness is classified as an access control issue (CWE‑284) combined with a missing authentication (CWE‑306).

Affected Systems

Mozilla Firefox Focus for Android on all versions prior to 136 are impacted. Versions 136 and later contain the fix. Any device running an earlier build remains vulnerable.

Risk and Exploitability

The CVSS score of 9.1 marks the vulnerability as severe, while the EPSS score of less than 1% indicates a very low likelihood of exploitation in the short term. The issue is not currently listed in the CISA KEV catalog. Exploitation would require local device access or the ability to load malicious content into the Focus app, a plausible scenario on compromised Android devices. Despite the low exploitation probability, the high severity warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Mozilla

Firefox

affected

Version	Status	Constraints
`136`	unaffected	≤ *

Configuration 1 [-]

cpe:2.3:a:mozilla:firefox:*:*:*:*:*:*:*:*

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Firefox Focus to version 136 or later on all Android devices.
If upgrade cannot be performed immediately, uninstall the vulnerable Focus app or disable any authentication‑requiring setting until a patched version is available.
Apply device‑wide security controls such as app whitelisting and monitor logs for unauthorized use of Focus features.

Generated by OpenCVE AI on April 20, 2026 at 18:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-7443	Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00066.

Exploitation none

Automatable yes

Technical Impact total

References

Link	Providers
https://bugzilla.mozilla.org/show_bug.cgi?id=1944665
https://nvd.nist.gov/vuln/detail/CVE-2025-1941
https://www.cve.org/CVERecord?id=CVE-2025-1941
https://www.mozilla.org/security/advisories/mfsa2025-14/

History

Mon, 13 Apr 2026 15:00:00 +0000

Type	Values Removed	Values Added
Description	Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.	Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability was fixed in Firefox 136.
Title	firefox: Lock screen setting bypass in Firefox Focus for Android	Lock screen setting bypass in Firefox Focus for Android

Fri, 28 Mar 2025 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mozilla Mozilla firefox
CPEs		cpe:2.3:a:mozilla:firefox::::::::
Vendors & Products		Mozilla Mozilla firefox

Wed, 05 Mar 2025 03:00:00 +0000

Type	Values Removed	Values Added
Title		firefox: Lock screen setting bypass in Firefox Focus for Android
Weaknesses		CWE-306
References		https://nvd.nist.gov/vuln/detail/CVE-2025-1941 https://www.cve.org/CVERecord?id=CVE-2025-1941
Metrics	threat_severity `None`	threat_severity `Moderate`

Tue, 04 Mar 2025 16:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 04 Mar 2025 13:45:00 +0000

Type	Values Removed	Values Added
Description		Under certain circumstances, a user opt-in setting that Focus should require authentication before use could have been be bypassed (distinct from CVE-2025-0245). This vulnerability affects Firefox < 136.
References		https://bugzilla.mozilla.org/show_bug.cgi?id=1944665 https://www.mozilla.org/security/advisories/mfsa2025-14/

Subscriptions

Mozilla Firefox

MITRE

Status: PUBLISHED

Assigner: mozilla

Published: 2025-03-04T13:31:25.097Z

Updated: 2026-04-13T14:30:25.557Z

Reserved: 2025-03-04T12:29:48.176Z

Link: CVE-2025-1941

Vulnrichment

Updated: 2025-03-04T15:48:24.179Z

NVD

Status : Modified

Published: 2025-03-04T14:15:39.063

Modified: 2026-04-13T15:16:53.777

Link: CVE-2025-1941

Redhat

Severity : Moderate

Publid Date: 2025-03-04T13:31:25Z

Links: CVE-2025-1941 - Bugzilla

OpenCVE Enrichment

Updated: 2026-04-20T18:30:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object