Malicious Package
Description
MintegralAdSDK before 6.6.0.0 contains a backdoor enabling remote code execution by Mintegral and its partners.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MintegralAdSDK before 6.6.0.0 contains a backdoor enabling remote code execution by Mintegral and its partners.
Vulnerability
The MintegralAdSDK package, versions before 6.6.0.0, is a malicious package that contains a backdoor. The SDK, distributed by Mintegral, includes hidden functionality that allows remote code execution on the user's device. This backdoor is present in both iOS and Android versions of the SDK, as identified by Snyk researchers [1][2].
Exploitation
An attacker, specifically Mintegral or its advertiser partners, can remotely execute arbitrary code on a device running an application that integrates the vulnerable SDK. No special user interaction is required beyond normal app usage; the SDK receives commands from remote servers and executes them. The attacker can trigger the backdoor by serving malicious ad content or through other remote commands [1][2].
Impact
Successful exploitation grants the attacker remote code execution on the user's device. This can lead to full compromise of the application's data and functionality, and potentially the device itself, including information disclosure, data theft, and further malicious activities. The attacker operates with the privileges of the host application [1][2].
Mitigation
Upgrade MintegralAdSDK to version 6.6.0.0 or higher to remediate the vulnerability. No workarounds are available; removing the SDK entirely is recommended if an upgrade is not possible. The fix was released on or before October 19, 2020 [2]. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog as of the publication date.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Mintegral/AdSDKdescription
- Range: <6.6.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The MintegralAdSDK contained hidden backdoor classes (MTGInvocationBoxing, MTGRemoteCommandParser, etc.) that allowed remote invocation of arbitrary native methods via JavaScript bridge communication."
Attack vector
An attacker (Mintegral or its advertiser partners) can remotely execute arbitrary code on any device displaying an ad through the SDK [ref_id=1]. The MTGBaseBridgeWebView communicates with JavaScript, and the backdoor classes (MTGCommandDispatcher, MTGRemoteCommandParser, MTGInvocationBoxing, etc.) allow invocation of any native static method within the application [ref_id=1]. The SDK's remote configuration can trigger this functionality, meaning no user interaction beyond viewing an ad is required. The vulnerability existed in all SDK versions before 6.6.0.0 [ref_id=1].
Affected code
The iOS SDK distributed by Mintegral contained the classes MTGCommandDispatcher, MTGComponentCommands, MTGRemoteCommand, MTGRemoteCommandParameterModel, MTGRemoteCommandParser, and MTGInvocationBoxing [ref_id=1]. The MTGBaseBridgeWebView class, used to communicate with JavaScript, introduced the ability to execute arbitrary functions and native application code [ref_id=1]. Apple specifically identified the MTGInvocationBoxing class as the component that allows remote code execution [ref_id=1].
What the fix does
Mintegral released version 6.6.0.0 of the iOS SDK on September 10, 2020, which removed the MTGRemoteCommandParser backdoor component [ref_id=1]. A diff analysis by Snyk confirmed that six classes (MTGCommandDispatcher, MTGComponentCommands, MTGRemoteCommand, MTGRemoteCommandParameterModel, MTGRemoteCommandParser, and MTGInvocationBoxing) were removed in this version [ref_id=1]. Apple subsequently notified affected developers to remove the MTGInvocationBoxing class from their apps and submit an updated version within one week [ref_id=1].
Preconditions
- configThe device must have an app installed that uses the MintegralAdSDK version before 6.6.0.0
- inputThe device must display an ad served through the Mintegral SDK
- authThe attacker must be Mintegral or an advertiser partner able to serve ads through the SDK
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- snyk.io/blog/remote-code-execution-rce-sourmint/mitrex_refsource_MISC
- snyk.io/research/sour-mint-malicious-sdk/%23rcemitrex_refsource_MISC
- snyk.io/vuln/SNYK-COCOAPODS-MINTEGRALADSDK-1019377mitrex_refsource_MISC
- www.youtube.com/watchmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.