Impact
The vulnerability stems from improperly exported Android application components in Fortinet FortiTokenAndroid versions 5.2.x, 6.1.x, and 6.2.x. Because the app exposes a Content Provider URI without adequate access controls, an attacker can resolve the URI and query the provider to reveal sensitive information such as token credentials or other data stored by the app. The flaw permits unauthorized disclosure of data, potentially enabling credential theft or other privileged actions, and is classified as CWE-926.
Affected Systems
Fortinet FortiTokenAndroid on Android devices is affected in all 5.2.x, 6.1.x, and 6.2.x releases. The issue is mitigated by upgrading to version 6.4.0 or newer.
Risk and Exploitability
We rate the severity with a CVSS score of 5, indicating a medium risk. The EPSS score is < 1%, and the vulnerability is not listed in the CISA KEV catalog, implying no known mass exploit. The likely attack vector is via an exported Content Provider URI that can be accessed by a malicious application or by a local attacker with sufficient privileges. The practical exploitability depends on device configuration and the presence of poorly secured third‑party apps, but the risk remains moderate without a publicly known exploit.
OpenCVE Enrichment