CyberSec.Space Logo
CVEブラウザに戻る

CVE-2017-5626

CRITICAL
9.8
CVSS Severity Score
EPSS Score0.1380%
EPSS Percentile16.68th
Published2017年3月12日
Last Modified2026年5月13日

Vulnerability Description

OxygenOS before version 4.0.2, on OnePlus 3 and 3T, has two hidden fastboot oem commands (4F500301 and 4F500302) that allow the attacker to lock/unlock the bootloader, disregarding the 'OEM Unlocking' checkbox, without user confirmation and without a factory reset. This allows for persistent code execution with high privileges (kernel/root) with complete access to user data.

Affected Platforms (CPE)

💻
Oneplus

Oxygenos

<= 3.2.8
💻
Oneplus

Oxygenos

<= 3.5.4

References & Advisories

🔗 https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/
🔗 https://securityresear.ch/2017/02/08/oneplus3-bootloader-vulns/

関連する脆弱性情報

CVE-2017-56249.8

An issue was discovered in OxygenOS before 4.0.3 for OnePlus 3 and 3T. The attacker can persistently make the (locked) bootloader ...

CVE-2017-55548.1

An issue was discovered in ABOOT in OnePlus 3 and 3T OxygenOS before 4.0.2. The attacker can reboot the device into the fastboot m...

CVE-2017-59476.8

An issue was discovered in OnePlus One, X, 2, 3, 3T, and 5 devices with OxygenOS 5.0 and earlier. The attacker can reboot the devi...

CVE-2017-56236.6

An issue was discovered in OxygenOS before 4.1.0 on OnePlus 3 and 3T devices. The attacker can change the bootmode of the device b...