CWE-925
Improper Verification of Intent by Broadcast Receiver
Description
The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
Certain types of Intents, identified by action string, can only be broadcast by the operating system itself, not by third-party applications. However, when an application registers to receive these implicit system intents, it is also registered to receive any explicit intents. While a malicious application cannot send an implicit system intent, it can send an explicit intent to the target application, which may assume that any received intent is a valid implicit system intent and not an explicit intent from another application. This may lead to unintended behavior.
Parent Weaknesses (ChildOf)
Common Consequences
Scope
Impact
Gain Privileges or Assume Identity
Potential Mitigations
Before acting on the Intent, check the Intent Action to make sure it matches the expected System action.
CVE-2025-20972Mobile app store does not properly verify the intent by the broadcast receiver, allowing local attackers to write arbitrary files
CVE-2024-10576Mobile device has an application that exposes a broadcast received that allows local attackers to force a factory reset
Applicable Platforms
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now