CVE-2025-45083 - FULL DISCLOSURE

1. CVE ASSIGNED: CVE-2025-45083
2. CVE PUBLISHED STATE: PUBLISHED
3. CVE LINK: https://nvd.nist.gov/vuln/detail/CVE-2025-45083
4.  
5. Description:
6. An Incorrect Access Control vulnerability exists in Ullu App Android v2.9.929, iOS v2.8.0, and the Ullu Web Platform (https://ullu.app). The application's parental PIN protection feature can be bypassed by attackers via brute force techniques, due to the lack of rate-limiting or lockout mechanisms on PIN entry. This allows unauthorized users to disable the parental lock feature and gain unrestricted access to adult content on the platform.
7.  
8. For mobile apps, the 4-digit PIN can be brute-forced locally via (manually) or by intercepting using tools like Frida. For the web version, attackers can simply capture and replay the HTTP request for parental PIN disablement and automate a brute-force attack without triggering any defensive mechanism.
9.  
10.  
11. Impact:
12. 1.Bypass of Parental Controls, exposing restricted content to unauthorized users
13. 2.Violation of content accessibility protections, especially for underage users
14. 3.Escalation of privileges by circumventing access restrictions
15. 4.Legal and compliance risks related to age-restricted content delivery
16.  
17. Attack Scenario:
18. Web:
19. 1.User navigates to https://ullu.app/
20. 2.Captures the HTTP request sent when entering a parental PIN
21. 3.Brute-forces the 4-digit PIN using automated scripts (e.g., via Burp Intruder or custom Python script)
22. 4.Disables parental control without authorization
23.  
24. Android & iOS App:
25. 1.Attacker installs the app
26. 2.Logs in using leaked credentials for any account but gets blocked due to parental PIN protection.
27. 3.Sends repeated PIN attempts until the correct one is identified (via Frida)
28. 4.Alternatively, manually tries PINs within the app interface (0000–9999)
29.  
30. Technical Details:
31. 1.Vulnerability Type: Incorrect Access Control
32. 2.CWE Classification: CWE-284 – Improper Access Control
33. 3.Attack Type: Remote (for web), Local/Remote (for apps)
34.  
35. Affected Versions:
36. 1.Android App: v2.9.929 (Play Store)
37. 2.IOS App: v2.8.0 (App Store)
38. 3.Web Platform: https://ullu.app
39.  
40. Impact: Escalation of Privileges, Inappropriate Content Exposure
41.  
42. Affected Products:
43. 1.Ullu Web Platform: https://ullu.app
44. 2.Ullu Android App: https://play.google.com/store/apps/details?id=cdi.videostreaming.app (v2.9.929)
45. 3.Ullu iOS App: https://apps.apple.com/us/app/ullu/id1435281792 (v2.8.0)
46.  
47. Vendor Information:
48. 1.Vendor: Ullu
49. 2.Website: https://ullu.app/
50.  
51. Proof of Concept (PoC):
52. Web:
53. 1.Intercept the HTTP request triggered by entering the parental PIN
54. 2.Use a script or Burp Intruder to iterate through 0000–9999 PINs
55. 3.Parental PIN is eventually disabled, and restricted content becomes accessible
56. 4.POC for web at - https://drive.google.com/file/d/1gVZDcBDvkQzw12SKBvRYgcaQt4UoC_KP/view?usp=sharing
57.  
58. Apps (Android/iOS):
59. 1.Use a proxy (e.g., Burp Suite) or local instrumentation (e.g., Frida)
60. 2.Identify the endpoint or local logic verifying the PIN (Frida)
61. 3.Iterate all 4-digit PIN combinations using automated input or request fuzzing
62. 4.Successful PIN bypass results in unlocking adult content
63. 5.POC for app at - https://drive.google.com/file/d/1-wUA6dNIMVbv-KV7ZUDnTtC4_avh5pGf/view?usp=sharing
64.  
65. Discoverer:
66. Ishwar Kumar