Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

Go to Calendar     Go to Press Room     Go to Newsletters subscription

Search

Multiple vulnerabilities in Fermax mobile apps and services

Posted date 28/03/2025
Identificador
INCIBE-2025-0164
Importance
4 - High
Affected Resources
  • DuoxMe iOS application, versions prior to 3.3.1.
  • Authentication service on MeetMe products, versions prior to 2024-09.
  • Call forwarding service in MeetMe products, versions prior to 2024-09.
Description

INCIBE has coordinated the publication of 4 vulnerabilities, one of high severity and 3 of medium severity, affecting DuoxMe and MeetMe from Fermax, in video door entry services and mobile applications. The vulnerabilities have been discovered by the Fermax cybersecurity team.

These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector and CWE vulnerability type for each vulnerability:

  • CVE-2025-2908: CVSS v4.0: 8.5 | CVSS AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N. | CWE-522.
  • CVE-2025-2909: CVSS v4.0: 6.9 | CVSS AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N. | CWE-312.
  • CVE-2025-2910: CVSS v4.0: 6.9 | CVSS AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N. | CWE-204.
  • CVE-2025-2911: CVSS v4.0: 5.3 | CVSS AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N. | CWE-307.
Solution

The vulnerabilities have been fixed by the Fermax team in version 3.3.1 of the iOS DuoxMe application and in version 2024-09 for the authentication and call forwarding services in MeetMe products.

Detail
  • CVE-2025-2908: the exposure of credentials in the call forwarding configuration module in MeetMe products in versions prior to 2024-09 allows an attacker to gain access to some important assets via configuration files.
  • CVE-2025-2909: the lack of encryption in the DuoxMe (formerly Blue) application binary in versions prior to 3.3.1 for iOS devices allows an attacker to gain unauthorised access to the application code and discover sensitive information.
  • CVE-2025-2910: user enumeration in the password reset module of the MeetMe authentication service in versions prior to 2024-09 allows an attacker to determine whether an email address is registered through specific error messages.
  • CVE-2025-2911: unauthorised access to the call forwarding service system in MeetMe products in versions prior to 2024-09 allows an attacker to identify multiple users and perform brute force attacks via extensions.
References list
Vendor website
Etiquetas