CVE-2025-68708 - Vulnerability Details

- PIN Bypass via Overlay in SailingLab AppLock

Description

SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.

Published: 2026-05-26

Score: 2.4 Low

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

SailingLab AppLock (com.alpha.applock) implements its PIN lock as a screen overlay instead of using Android’s secure authentication APIs, creating an authentication bypass weakness (CWE‑288). A local attacker who has physical access to the device can navigate the app’s interface, exploiting exposed routes and advertisement or browser intents. This allows the attacker to bypass the lockscreen verification and gain access to protected applications such as Chrome, resulting in information disclosure and privilege escalation.

Affected Systems

The vulnerability affects SailingLab’s AppLock version 4.3.8 on Android devices. No other versions or vendor details are available in the current data set.

Risk and Exploitability

Exploitation requires only local, physical access to the device. The CVSS score is 2.4, and the EPSS score is < 1%, and the vulnerability is not listed in CISA’s KEV catalog. Therefore, the real‑world exploitation likelihood is uncertain but possible under the described local conditions.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Actuator

Com.alpha.applock

80%

Version	Status	Scheme	Platform
`4.3.8`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Disable or uninstall the application to eliminate this vulnerability.
Enable or set a strong device‑level lock or biometric authentication to protect against overlay attacks.
Check the vendor’s website or the GitHub repository for any updates or fixes.

Generated by OpenCVE AI on May 28, 2026 at 01:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00186.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/actuator/com.alpha.applock
https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708
https://play.google.com/store/apps/details?id=com.alpha.applock

History

Thu, 28 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
Title		PIN Bypass via Overlay in SailingLab AppLock

Wed, 27 May 2026 23:30:00 +0000

Type	Values Removed	Values Added
Title	Local PIN Bypass via Overlay in SailingLab AppLock Lead to Privilege Escalation
Weaknesses	CWE-287

Wed, 27 May 2026 21:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-288
Metrics		cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 27 May 2026 10:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Actuator Actuator com.alpha.applock
Vendors & Products		Actuator Actuator com.alpha.applock

Tue, 26 May 2026 22:15:00 +0000

Type	Values Removed	Values Added
Title		Local PIN Bypass via Overlay in SailingLab AppLock Lead to Privilege Escalation
Weaknesses		CWE-287

Tue, 26 May 2026 20:30:00 +0000

Type	Values Removed	Values Added
Description		SailingLab AppLock (aka com.alpha.applock) 4.3.8 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents - an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
References		https://github.com/actuator/com.alpha.applock https://github.com/actuator/com.alpha.applock/blob/main/CVE-2025-68708 https://play.google.com/store/apps/details?id=com.alpha.applock

Subscriptions

Actuator Com.alpha.applock

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-26T00:00:00.000Z

Updated: 2026-05-27T20:33:41.163Z

Reserved: 2025-12-24T00:00:00.000Z

Link: CVE-2025-68708

Vulnrichment

Updated: 2026-05-27T20:33:22.431Z

NVD

Status : Deferred

Published: 2026-05-26T21:16:35.940

Modified: 2026-06-17T09:59:26.710

Link: CVE-2025-68708

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-28T01:30:03Z

Weaknesses

CWE-288
Authentication Bypass Using an Alternate Path or Channel

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Physical

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object