What is CVE-2025-21615?

AAT (Another Activity Tracker) has a medium-severity vulnerability that enables data exfiltration from malicious apps on the same device. Organizations should prioritize patching to mitigate risks associated with this vulnerability.

What is the severity of CVE-2025-21615?

CVE-2025-21615 has a severity rating of MEDIUM with a CVSS base score of 5.5.

CVE-2025-21615 | Medium Vulnerability in AAT (Another Activity Tracker)

CVE-2025-21615 is a medium-severity vulnerability affecting AAT (Another Activity Tracker), a GPS-tracking application primarily used for tracking cycling activities. The vulnerability allows data exfiltration from malicious applications that are installed on the same device as AAT, specifically impacting versions lower than v1.26. This vulnerability poses a significant risk, as it could lead to unauthorized access to sensitive user data.

The CVSS score for this vulnerability is 5.5, indicating a medium severity. This score reflects the potential impact of the vulnerability, which includes high confidentiality impact, as sensitive data could be accessed by unauthorized applications. The attack vector is classified as local, meaning that an attacker would need physical or logical access to the device to exploit this vulnerability.

Organizations should take immediate action to address this vulnerability, as attackers may leverage it to gain unauthorized access to user data. The exploitation status for this vulnerability is currently unknown, but given its potential for data exfiltration, it is crucial to prioritize remediation efforts. Organizations are urged to upgrade to version 1.26 or later of AAT to mitigate this risk.

Urgency for defenders is moderate; organizations should schedule remediation as part of their patch management process to protect against potential data breaches.

Vulnerability Details

The vulnerability allows data exfiltration from malicious apps installed on the same device. This is categorized under CWE-200, which refers to exposure of sensitive information. The CVSS vector string is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N, indicating that the attack requires user interaction and has a low attack complexity.

Technical Analysis

The root cause of this vulnerability lies in the application's inadequate protection against unauthorized data access by other applications on the device. Specifically, AAT lacks sufficient isolation from potentially malicious applications that could exploit the data access permissions granted to it.

The attack vector is local, meaning that an attacker must have physical access to the device or be able to install malicious applications on it. The attack complexity is low, indicating that it does not require advanced skills to exploit. No privileges are required to perform the attack, and user interaction is necessary, as the malicious app must be installed and executed by the user.

The potential impacts of this vulnerability include a high confidentiality impact, as sensitive user data could be accessed by an attacker. However, the integrity and availability impacts are rated as none.

Risk & Impact Analysis

Risk to organizations includes the potential for unauthorized access to sensitive user data, which could result in privacy violations and damage to the organization's reputation. The blast radius is significant if the vulnerability is exploited, as it affects all users of the application on devices with vulnerable versions.

Given the current CVSS score of 5.5 and the known exploitation status as deferred, organizations should address this vulnerability in their priority patch cycle to mitigate these risks effectively.

Exploitation Status

Signal	Status
Known Exploit	No
Public PoC	No
Actively Exploited	No
Ransomware Use	No

Affected Versions

All versions prior to vendor patch (v1.26) are affected. Users should upgrade to version 1.26 or later to mitigate the vulnerabilities.

Mitigation & Remediation

Organizations should prioritize patching immediately. Upgrading to v1.26 or later is crucial to eliminate this vulnerability. In addition, organizations can implement configuration hardening measures to restrict applications' data access permissions.

Detection Guidance

Monitoring for unusual data access patterns or unauthorized app installations can help detect potential exploitation of this vulnerability. Organizations should also review logs for any unauthorized access attempts related to sensitive information.

AppSecure Threat Intelligence Insight

This vulnerability highlights the importance of application security in a multi-app environment, where malicious applications can exploit weaknesses in other applications to access sensitive data. Organizations should adopt a proactive approach to security by regularly auditing their application security posture.

For more guidance on securing applications and conducting thorough security assessments, organizations can refer to our resources on application security assessments and best practices.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

CVE ID	Title	Severity	Vulnerability Type	Published
CVE-2026-7704	CVE-2026-7704: Low Vulnerability in AV Stumpfl Pixera Two Media Server	LOW	Path Traversal	May 3, 2026
CVE-2026-7703	CVE-2026-7703: Medium Vulnerability in AV Stumpfl Pixera Two Media Server	MEDIUM	Injection	May 3, 2026
CVE-2026-7702	CVE-2026-7702: Medium Vulnerability in toeverything AFFiNE	MEDIUM	Improper Authorization	May 3, 2026
CVE-2026-7701	CVE-2026-7701: Low Vulnerability in Telegram Desktop	LOW	Null Pointer Dereference	May 3, 2026
CVE-2026-7700	CVE-2026-7700: Low Vulnerability in langflow-ai langflow	LOW	Injection	May 3, 2026

CVE-2025-21615: Medium Vulnerability in AAT (Another Activity Tracker)