Vulnerabilities > CVE-2021-25266 - Insecure Storage of Sensitive Information vulnerability in Sophos Authenticator and Intercept X

CVSS 3.9 - LOW

Attack vector

PHYSICAL

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

NONE

Availability impact

NONE

low complexity

sophos

CWE-922

NVD

Published: 2022-04-27

Updated: 2022-05-06

Summary

An insecure data storage vulnerability allows a physical attacker with root privileges to retrieve TOTP secret keys from unlocked phones in Sophos Authenticator for Android version 3.4 and older, and Intercept X for Mobile (Android) before version 9.7.3495.

Vulnerable Configurations

Part	Description	Count
Application	Sophos Sophos Intercept X * Sophos Authenticator *	2

Common Weakness Enumeration (CWE)

CWE-922 - Insecure Storage of Sensitive Information

References

https://www.sophos.com/en-us/security-advisories/sophos-sa-20220427-ixm-storage