CVE-2025-50861: The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 contains an exported component, PushDeepLink...
The Lotus Cars Android app (com.lotus.carsdomestic.intl) 1.2.8 contains an exported component, PushDeepLinkActivity, which is accessible without authentication via ADB or malicious apps. This poses a risk of unintended access to application internals and can cause denial of service or logic abuse.
Security readout for executives and security teams
Plain-English summary
CVE-2025-50861 affects the Lotus Cars Android app version 1.2.8. An exposed app component may be reachable without authentication, letting another app or ADB trigger internal behavior. Reported impact is limited unintended access, denial of service, or logic abuse. No active exploitation is identified in the provided sources.
Executive priority
Treat as a medium-priority mobile app risk. It is not currently reported as exploited, but affected managed devices should be identified and updated or restricted. Priority is higher where employees use the Lotus app on corporate-managed Android devices or where untrusted app installation is permitted.
Technical view
The issue is an exported Android component, PushDeepLinkActivity, in com.lotus.carsdomestic.intl 1.2.8. The CVE maps to CWE-284 and CWE-400 with CVSS 3.1 score 6.5. The description says access is possible via ADB or malicious apps without authentication, potentially affecting confidentiality and availability.
Likely exposure
Exposure appears limited to Android devices with Lotus Cars app com.lotus.carsdomestic.intl version 1.2.8 installed. Enterprise exposure depends on whether managed mobile devices allow this app or untrusted apps. The CVE record does not provide broader affected version ranges.
Exploitation context
The provided CVE data does not show CISA KEV listing or active exploitation. Abuse would require interaction with the affected mobile app environment, such as a malicious local app or ADB access, based on the description. No public weaponization status is provided.
Researcher notes
Evidence is limited to the CVE description and linked researcher repository. The CVSS vector lists network attack, while the description emphasizes ADB or malicious apps; validate the true attack surface before scoring internally. No patch, fixed version, or vendor advisory is named in the provided sources.
Mitigation direction
Check Lotus or app store guidance for an updated fixed version.
Update the Lotus Cars Android app if a vendor fix is available.
Remove or restrict the app on managed devices if not required.
Limit installation of untrusted Android apps on affected devices.
Restrict ADB access on managed or corporate Android devices.
Validation and detection
Inventory Android devices for package com.lotus.carsdomestic.intl version 1.2.8.
Confirm whether PushDeepLinkActivity is exported in the installed APK manifest.
Check mobile device management records for affected app deployment.
Review vendor release notes or app store listings for fixed versions.
Prioritize devices with untrusted app installation allowed.
Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.
Potential ATT&CK relevance
Conservative CVE-to-ATT&CK context
These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.
ATT&CK lookup starting points
Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.
cwe · medium confidence lookup
CWE-284: Authorization and privilege behavior lookup
Authorization weaknesses can support privilege escalation and valid-account review, depending on exploit path. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.
These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.
We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.
CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.
CWE-284 · source CWE mapping
Improper Access Control
Improper Access Control represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.
Uncontrolled Resource Consumption represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.