The system application (com.transsion.kolun.aiservice) component does not perform an authentication check, which allows attackers to perform malicious exploitations and affect system services.
The com.transsion.kolun.aiservice component, which is part of the Tecno HiOS system software, does not implement an authentication mechanism (CWE-306) or identity verification (CWE-287) before handling requests. This means that any application or external entity capable of communicating with this component can invoke it without any permissions. An attacker can thus interact with system services and perform malicious operations that would normally require appropriate privileges.
An attacker without any privileges and without user interaction can remotely execute malicious actions on device system services, potentially gaining full access to sensitive data, modifying system state, or causing its destabilization (high confidentiality, integrity, and availability according to CVSS vector).
Security patches available from the manufacturer should be applied according to references — security updates are published by Tecno Security Response Center at https://security.tecno.com/SRC/securityUpdates?type=SA. It is recommended to install available system software updates on Tecno devices as soon as possible.
Devices running Tecno HiOS containing the com.transsion.kolun.aiservice system application component; specific versions indicated in manufacturer references.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HTecno Hios
OSTecno13.0.0
Related vulnerabilities
Pominięcie uwierzytelnienia w aplikacji Tecno Boomplay (Android)
Interface exposure vulnerability in the mobile application (com.transsion.carlcare) may lead to information l...
The mobile application (com.transsnet.store) has a man-in-the-middle attack vulnerability, which may lead to c...
The Tecno Spark Pro Android device with a build fingerprint of TECNO/H3722/TECNO-K8:7.0/NRD90M/K8-H3722ABCDE-N...
Unprotected service in the AudioLink component allows a local attacker to overwrite system files via unauthori...