CVE-2025-25983

An attacker who obtains access to a QR code generated by the V380 Pro app's device-sharing feature can recover plaintext credentials. The QR code contains AES-encrypted credentials, but the encryption key is included in the same QR code payload [ref_id=1]. The attacker scans the QR code, extracts the Base64-encoded key and ciphertext, and decrypts using standard tools like CyberChef or a Python script [ref_id=1]. The attack requires network access to the QR code (e.g., via a compromised user's screenshot, physical access, or interception during sharing) and authenticated access to the app to generate the QR code in the first place [CWE-257, CWE-656].

The advisory does not specify exact source files or functions. The vulnerable component is the QR-code based device sharing feature in the V380 Pro Android application versions 2.1.44 and 2.1.64 [ref_id=1]. The flaw lies in how the app constructs the QR code payload: it encrypts credentials with AES but embeds the AES key in the same payload.

No patch is published in the bundle. The advisory recommends that the vendor stop sharing the encryption key alongside the ciphertext, and instead use a key-exchange mechanism or a key derived from a shared secret that is never transmitted [ref_id=1]. The advisory also suggests informing users that credentials embedded in QR codes can be recovered, so they can make informed sharing decisions [ref_id=1].

1. Obtain a QR code generated by the V380 Pro app's device-sharing feature. 2. Scan the QR code to extract the raw payload. 3. Use a regular expression to extract the AES key and ciphertext from the payload (both are Base64-encoded). 4. Decrypt the ciphertext using AES-ECB with a zero IV and the extracted key. 5. The resulting plaintext contains the device credentials in Base64-encoded fields; decode them to recover the plaintext credentials [ref_id=1]. A CyberChef recipe is provided in the advisory that automates these steps [ref_id=1].