CVE-2019-14326
Description
An issue was discovered in AndyOS Andy versions up to 46.11.113. By default, it starts telnet and ssh (ports 22 and 23) with root privileges in the emulated Android system. This can be exploited by remote attackers to gain full access to the device, or by malicious apps installed inside the emulator to perform privilege escalation from a normal user to root (unlike with standard methods of getting root privileges on Android - e.g., the SuperSu program - the user is not asked for consent). There is no authentication performed - access to a root shell is given upon a successful connection. NOTE: although this was originally published with a slightly different CVE ID number, the correct ID for this Andy vulnerability has always been CVE-2019-14326.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AndyOS Andy emulator up to v46.11.113 exposes telnet and SSH with root access and no authentication, allowing privilege escalation from user to root without consent.
Vulnerability
AndyOS Andy, an Android emulator for Windows and Mac, up to version 46.11.113 (and possibly newer versions) starts telnet and SSH daemons on ports 22 and 23 inside the emulated Android system with root privileges and no password protection [1][2]. This is an improper access control issue (CWE-284) that allows any connection to obtain a root shell without authentication.
Exploitation
The emulated Android device is only accessible within a VMWare network visible to the host OS and the emulated system itself, so remote exploitation from outside the host is not possible [1][2]. However, a malicious app installed inside the emulator can exploit the open ports by connecting to localhost on port 22 or 23 using tools like busybox telnet and piping commands to the root shell [1][2]. No user interaction or consent is required.
Impact
Successful exploitation grants an attacker full root access to the emulated Android system, bypassing standard Android privilege escalation mechanisms (e.g., SuperSu) that typically require user consent [1][2]. This allows the attacker to execute arbitrary commands, install software, access sensitive data, and completely compromise the emulated environment.
Mitigation
No official patch has been released by AndyOS. The recommended workaround is to kill the telnet and SSH daemons inside the emulated system [1][2]. Users should disable these services or avoid installing untrusted apps in the emulator. The product may be end-of-life; users are advised to consider alternative emulators.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- AndyOS/AndyOSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- seqred.pl/en/cve-privilege-escalation-in-andy/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.