Description
A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key
. The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-04-03
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Local Key Exposure
Action: Assess Impact
AI Analysis

Impact

A flaw in the Rico só vantagem pra investir Android application allows an attacker with local access to manipulate the SEGMENT_WRITE_KEY argument in SegmentSettingsModule.java, causing the app to use a hard‑coded cryptographic key. This key exposure means a local adversary could potentially decrypt, sign, or otherwise tamper with data that the application assumes is protected by a unique runtime key. The weakness arises from improper key handling and is classified as CWE‑320 (Hard‑coded Cryptographic Key) and CWE‑321 (Reused Hard‑coded Cryptographic Key). The vulnerability does not provide a Windows or internet‑based exploitation route; it can only be triggered from a device already running the affected app.

Affected Systems

The issue affects the Rico só vantagem pra investir App for Android versions up to 4.58.32.12421. The sensitive code resides in the br.com.rico.mobile component, specifically within br/com/rico/mobile/di/SegmentSettingsModule.java. Any device that installs a pre‑4.58.32.12421 build is therefore vulnerable if an attacker can alter the SEGMENT_WRITE_KEY argument locally.

Risk and Exploitability

The CVSS base score of 4.8 indicates low‑to‑moderate severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting that it is not currently being targeted by widespread exploitation campaigns. Because the flaw requires local manipulation of the app configuration, the threat is largely confined to situations where an attacker already has physical or root access to the device. Nonetheless, once the key is exposed, the confidentiality and integrity of any data protected under that key are compromised. Administrators should treat the risk as moderate until a vendor‑supplied fix is confirmed. Currently, no public exploit exists beyond the disclosed disclosure.

Generated by OpenCVE AI on April 3, 2026 at 08:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check if a newer version of the Rico application is available and review the vendor’s release notes for a fix; if an update is available, install it promptly.
  • If no update exists, consider disabling or removing the SEGMENT_WRITE_KEY configuration from the device or preventing local modification of that setting through device‑level controls.
  • Apply device hardening measures to restrict local access, such as enforcing strong authentication for ADB or root tools, and monitor application logs for abnormal cryptographic activity.

Generated by OpenCVE AI on April 3, 2026 at 08:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Apr 2026 12:45:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rico
Rico só Vantagem Pra Investir App
Vendors & Products Rico
Rico só Vantagem Pra Investir App

Fri, 03 Apr 2026 05:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been found in Rico só vantagem pra investir App up to 4.58.32.12421 on Android. This issue affects some unknown processing of the file br/com/rico/mobile/di/SegmentSettingsModule.java of the component br.com.rico.mobile. Such manipulation of the argument SEGMENT_WRITE_KEY leads to use of hard-coded cryptographic key . The attack can only be performed from a local environment. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Title Rico só vantagem pra investir App br.com.rico.mobile SegmentSettingsModule.java hard-coded key
Weaknesses CWE-320
CWE-321
References
Metrics cvssV2_0

{'score': 1.7, 'vector': 'AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.3, 'vector': 'CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Rico Só Vantagem Pra Investir App
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-03T11:20:13.272Z

Reserved: 2026-04-02T22:10:44.860Z

Link: CVE-2026-5453

cve-icon Vulnrichment

Updated: 2026-04-03T11:20:07.169Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-03T05:16:23.710

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-5453

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:15:48Z

Weaknesses