Description
A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This affects the function AndroidEthereum of the component org.ethosmobile.webpwaemul. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-03-07
Score: 2.3 Low
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via improper access controls
Action: Assess
AI Analysis

Impact

The vulnerability is found in Freedom Factory dGEN1 firmware up to 20260221, affecting the AndroidEthereum function of the org.ethosmobile.webpwaemul component. It leads to improper access controls that allow a remote attacker to execute privileged operations or gain unauthorized data access. The weakness falls under CWE-266 (Use of a Trusted Resource by an Unauthorized Entity) and CWE-284 (Improper Access Control). Because the exploit is publicly available, the threat of remote exploitation exists, albeit with high complexity and difficulty.

Affected Systems

The affected product is Freedom Factory dGEN1, specifically firmware versions up to 20260221. No other models or versions are listed as impacted. The component in question is org.ethosmobile.webpwaemul within the AndroidEthereum subsystem. Attackers would need to target devices running these specific firmware revisions to exploit the flaw.

Risk and Exploitability

The base CVSS score of 2.3 indicates low severity, and the EPSS score of <1% suggests a very low current likelihood of exploitation. However, the publicly disclosed exploit makes the vulnerability realistic for an attacker who can invest the high complexity effort. The security breach would enable unauthorized access to functions intended for authenticated or privileged use, potentially exposing sensitive data or control over the device. The vulnerability is not listed in the CISA KEV catalog, and the vendor has not responded to disclosure, so mitigation relies on user‑driven controls and any future firmware fixes.

Generated by OpenCVE AI on April 16, 2026 at 04:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify the firmware version of your Freedom Factory dGEN1 device; if it is firmware 20260221 or earlier, contact Freedom Factory for a security update or upgrade to the latest firmware that removes the access control flaw.
  • Until a patch is available, isolate the dGEN1 device from untrusted networks, restrict access to the AndroidEthereum component by implementing network segmentation or firewall rules, and enable any available device‑side restrictions to limit the functions that can be invoked remotely.
  • Continuously monitor the device for anomalous activity, check system logs for unauthorized calls to AndroidEthereum, and apply any vendor‑issued fixes or configuration changes as soon as they are released.

Generated by OpenCVE AI on April 16, 2026 at 04:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 09 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Freedom Factory
Freedom Factory dgen1
Vendors & Products Freedom Factory
Freedom Factory dgen1

Sat, 07 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description A weakness has been identified in Freedom Factory dGEN1 up to 20260221. This affects the function AndroidEthereum of the component org.ethosmobile.webpwaemul. This manipulation causes improper access controls. Remote exploitation of the attack is possible. The attack is considered to have high complexity. The exploitability is reported as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Title Freedom Factory dGEN1 org.ethosmobile.webpwaemul AndroidEthereum access control
Weaknesses CWE-266
CWE-284
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.1, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 2.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Freedom Factory Dgen1
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-11T16:29:00.643Z

Reserved: 2026-03-06T20:53:14.565Z

Link: CVE-2026-3668

cve-icon Vulnrichment

Updated: 2026-03-11T16:23:10.579Z

cve-icon NVD

Status : Deferred

Published: 2026-03-07T16:15:57.010

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-3668

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T04:45:16Z

Weaknesses