CVE-2018-7901
Description
RCS module in Huawei ALP-AL00B smart phones with software versions earlier than 8.0.0.129, BLA-AL00B smart phones with software versions earlier than 8.0.0.129 has a remote control vulnerability. An attacker can trick a user to install a malicious application. When the application connects with RCS for the first time, it needs user to manually click to agree. In addition, the attacker needs to obtain the key that RCS uses to authenticate the application. Successful exploitation may cause the attacker to control keyboard remotely.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Remote control vulnerability in Huawei RCS module allows an attacker to control keyboard after user installs malicious app.
Vulnerability
A remote control vulnerability exists in the RCS (Rich Communication Services) module of Huawei ALP-AL00B and BLA-AL00B smartphones with software versions earlier than 8.0.0.129 [1]. The bug resides in the authentication mechanism for new application connections to the RCS service [1].
Exploitation
An attacker must first trick the user into installing a malicious application on the device [1]. When the application connects to RCS for the first time, the user must manually click to agree to the connection [1]. Additionally, the attacker needs to obtain the cryptographic key that RCS uses to authenticate the application [1]. The attacker must control both the malicious app and possess the authentication key to complete the attack [1].
Impact
Successful exploitation allows the attacker to remotely control the keyboard of the affected smartphone [1]. This enables the attacker to capture keystrokes, potentially leading to disclosure of sensitive information such as passwords or messages. The attacker gains control over user input without further user interaction after the initial consent [1].
Mitigation
Huawei released software updates to fix this vulnerability [1]. Users should upgrade to version 8.0.0.129(SP2C00) or later for both ALP-AL00B and BLA-AL00B models [1]. No workarounds are documented in the advisory. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog at time of publication.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- Huawei Technologies Co., Ltd./ALP-AL00B, BLA-AL00Bv5Range: ALP-AL00B, earlier versions than 8.0.0.129, BLA-AL00B, earlier versions than 8.0.0.129
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- www.huawei.com/en/psirt/security-advisories/huawei-sa-20180425-01-rcs-enmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.