Description
AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
Published: 2026-05-26
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

AppLockZ App Lock and Fingerprint Lock (version 4.2.11) contains a flaw that allows a local attacker with physical access to bypass the PIN lock. The application implements the lock as an overlay instead of relying on Android's secure authentication APIs, enabling the attacker to navigate exposed routes and evict lockscreen verification through advertisement or browser intents. This improper authentication weakness combined with insecure handling of intent resolution (CWE-288) permits an attacker to access protected applications such as Chrome, effectively elevating privileges and disclosing sensitive information.

Affected Systems

Systems affected include devices running AppLockZ App Lock and Fingerprint Lock 4.2.11 on Android. No vendor or product version list was supplied beyond the specific application version, so any Android device using this version is considered vulnerable.

Risk and Exploitability

The vulnerability is local, requiring physical access. With a CVSS score of 2.4 and an EPSS score of < 1%, the risk assessment indicates low exploitation probability, but the absence of a KEV listing suggests no widespread exploitation reports yet. Nevertheless, the flaw’s nature allows immediate privilege escalation once bypassed. Attackers can exploit the flaw by traversing insecure navigation flows or intent‑based advertisement redirection, which the application treats as legitimate control paths.

Generated by OpenCVE AI on May 28, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest patched version of AppLockZ that replaces the overlay with secure Android authentication APIs.
  • Configure the app to validate or reject untrusted intents to mitigate navigation-based bypass (CWE-288).
  • If a patch is not available, disable the overlay feature and use the device’s native lock screen instead of AppLockZ.
  • Monitor the vendor’s release notes and apply updates promptly.

Generated by OpenCVE AI on May 28, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 00:45:00 +0000

Type Values Removed Values Added
Title AppLockZ PIN Lock Bypass via Intent Navigation

Wed, 27 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Bypass AppLockZ PIN Overlay to Access Protected Apps on Android
Weaknesses CWE-287

Wed, 27 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-288
Metrics cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Actuator
Actuator applock.passwordfingerprint.applockz
Vendors & Products Actuator
Actuator applock.passwordfingerprint.applockz

Tue, 26 May 2026 21:45:00 +0000

Type Values Removed Values Added
Title Local Attacker Can Bypass AppLockZ PIN Overlay to Access Protected Apps on Android
Weaknesses CWE-287

Tue, 26 May 2026 20:30:00 +0000

Type Values Removed Values Added
Description AppLockZ App Lock and Fingerprint Lock (applock.passwordfingerprint.applockz) 4.2.11 for Android allows a local attacker with physical access to bypass the PIN lock. The lock is implemented as an overlay rather than by using Android's secure authentication APIs. By navigating cascading interface flows - insecure navigation through exposed routes facilitates app control evasion {I.N.T.E.R.F.A.C.E] via advertisement or browser intents, an attacker can evade lockscreen verification and access protected apps (e.g., Chrome). This results in information disclosure and privilege escalation.
References

Subscriptions

Actuator Applock.passwordfingerprint.applockz
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-27T20:32:51.322Z

Reserved: 2025-12-24T00:00:00.000Z

Link: CVE-2025-68711

cve-icon Vulnrichment

Updated: 2026-05-27T20:32:29.444Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T21:16:36.043

Modified: 2026-06-17T09:59:27.153

Link: CVE-2025-68711

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T00:30:02Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel