CVE-2025-1298

CVE-2025-1298 is a logic vulnerability, classified under CWE-290, in the mobile application com.transsion.carlcare that may lead to the risk of account takeover. The vulnerability affects the Carlcare app, associated with Transsion devices such as those from TECNO, and carries a critical CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). It was published on 2025-02-14T08:15:30.877.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, authentication, or user interaction. Successful exploitation enables high-impact compromise of confidentiality, integrity, and availability, potentially resulting in full account takeover for affected users.

Security practitioners should consult the vendor advisories for mitigation guidance and patch information, available at https://security.tecno.com/SRC/blogdetail/383?lang=en_US and https://security.tecno.com/SRC/securityUpdates.