“These vulnerabilities are particularly concerning because MobSF is deployed on centralized servers in many organizations, often alongside other critical security tools and web applications,” said Shah, who discovered the issues during a routine security assessment. The MobSF development team has acknowledged these security flaws and promptly released patches in version 4.3.3. Security advisories have been published with detailed information about both vulnerabilities. MobSF is a popular security research platform used for mobile application penetration testing, malware analysis, and security assessment across Android, iOS, and Windows Mobile platforms. “When the MobSF tool extracts this zip file, it expands to its original massive size, potentially exhausting all available server storage with a single request,” Shah explained. Organizations using MobSF typically deploy it on centralized internal or cloud-based servers, granting access to security teams, audit teams, and external vendors. For detailed information, users can refer to the official security advisories published on the MobSF GitHub repository. When an Android Studio project containing a malicious SVG file as an app icon is zipped and uploaded to MobSF, the framework extracts the contents without proper validation. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Shah noted, “This vulnerability discovery highlights the importance of continual security testing, even for security tools themselves. The Mobile Security Framework (MobSF), a widely utilized tool, contains two critical zero-day vulnerabilities. These vulnerabilities, designated as CVE-2025-46335 and CVE-2025-46730, impact all versions of MobSF up to and including version 4.3.2. If exploited, they could result in system compromise and significant service disruption.
This Cyber News was published on cybersecuritynews.com. Publication date: Tue, 06 May 2025 15:15:20 +0000