{"id":12787,"date":"2026-05-12T10:04:02","date_gmt":"2026-05-12T10:04:02","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/12\/poc-exploit-released-for-android-zero-click-vulnerability-that-enables-remote-shell-access\/"},"modified":"2026-05-12T10:04:02","modified_gmt":"2026-05-12T10:04:02","slug":"poc-exploit-released-for-android-zero-click-vulnerability-that-enables-remote-shell-access","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/12\/poc-exploit-released-for-android-zero-click-vulnerability-that-enables-remote-shell-access\/","title":{"rendered":"PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access"},"content":{"rendered":"<p>    PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>In a chilling blow to mobile security, Google\u2019s May 2026 Android Security Bulletin has unmasked a catastrophic zero-click vulnerability lurking within the core Android System.<\/p>\n<p>The <a href=\"https:\/\/cybersecuritynews.com\/android-zero-click-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2026-0073 flaw in Android\u2019s adbd daemon<\/a> lets nearby threat actors remotely gain full shell access without victim interaction.<\/p>\n<p>Unearthed by BARGHEST security researchers, this critical cryptographic breakdown completely shatters Android\u2019s debugging trust model, transforming a standard developer tool into an invisible, weaponized backdoor.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-android-zero-click-poc-released\"><strong>Android Zero-Click PoC Released<\/strong><\/h2>\n<p>The foundation of CVE-2026-0073 is a cryptographic logic error in the\u00a0<code>adbd_tls_verify_cert<\/code>\u00a0function of the\u00a0<code>auth.cpp\u00a0<\/code>file.<\/p>\n<p>Modern wireless ADB connections rely on mutual <a href=\"https:\/\/cybersecuritynews.com\/opossum-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">TLS authentication<\/a> to ensure that a connecting client is a previously paired and trusted host.<\/p>\n<p>During this handshake, the system uses the\u00a0<code>EVP_PKEY_cmp<\/code>\u00a0API to compare the client\u2019s certificate public key against authorized RSA keys stored on the device.<\/p>\n<p>If an attacker supplies a non-RSA certificate, such as EC P-256 or Ed25519, the comparison API returns -1 to flag a cross-algorithm mismatch.<\/p>\n<p>Because the underlying C++ implementation treats all non-zero integers as a boolean success, the daemon incorrectly validates the attacker\u2019s mismatched certificate as a trusted host key.<\/p>\n<figure class=\"wp-block-video\"><video controls src=\"https:\/\/barghest.asia\/videos\/cve-2026-0073-adb-tls-auth-bypass.mp4\"><\/video><\/figure>\n<p>While the logic flaw is straightforward, weaponizing it requires precise manipulation of protocol.<\/p>\n<p>An attacker must first establish a TCP connection, successfully negotiate the STLS upgrade sequence, and then supply the malicious cross-algorithm certificate.<\/p>\n<p>Once this authentication gate is bypassed, the attacker can resume ADB framing inside the encrypted tunnel to open a remote shell.<\/p>\n<p>This grants the attacker execution privileges as the\u00a0shell\u00a0user, allowing them to bypass normal application sandboxes.<\/p>\n<p>Consequently, threat actors can extract sensitive personal information, abuse package management to silently <a href=\"https:\/\/cybersecuritynews.com\/hackers-abuse-github-issue-notifications\/\" target=\"_blank\" rel=\"noreferrer noopener\">install malicious applications<\/a>, and manipulate system settings to stage further device exploitation.<\/p>\n<p><a href=\"https:\/\/barghest.asia\/blog\/cve-2026-0073-adb-tls-auth-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to Barghest Research<\/a>, the vulnerability mainly affects Android 14, 15, and 16 devices under specific state conditions.<\/p>\n<p>Successful exploitation demands the following prerequisites:<\/p>\n<ul class=\"wp-block-list\">\n<li>Developer options are actively enabled on the target device.<\/li>\n<li>Wireless debugging, or ADB over TCP, is exposed on the network.<\/li>\n<li>The device trust store contains at least one previously paired RSA host key.<\/li>\n<li>The attacker has adjacent network reachability to <a href=\"https:\/\/cybersecuritynews.com\/new-xlabs_v1-botnet-targets-minecraft-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">the device\u2019s ADB TCP port 5555<\/a>.<\/li>\n<\/ul>\n<p>Device users and enterprise administrators must apply the May 2026 security patch immediately to resolve this critical flaw.<\/p>\n<p>To proactively reduce attack surfaces, users should turn off <a href=\"https:\/\/cybersecuritynews.com\/bluetooth-headphones-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">wireless debugging<\/a> on untrusted networks and revoke authorizations for unknown debugging hosts.<\/p>\n<p>Turning off Developer options entirely when not in use is highly recommended to protect against automated local network exploitation attempts.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 91%,rgb(169,184,195) 100%)\"><strong>Follow us on\u00a0<a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener\">Google News<\/a>,\u00a0<a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>,\u00a0and\u00a0<a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/poc-exploit-android-zero-click-vulnerability\/\">PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/poc-exploit-android-zero-click-vulnerability\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access In a chilling blow to mobile security, Google\u2019s May 2026 Android Security Bulletin has unmasked a catastrophic zero-click vulnerability lurking within the core Android System. The CVE-2026-0073 flaw in Android\u2019s adbd daemon lets nearby threat actors remotely gain full shell access without victim [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[509,129,63,131],"tags":[130],"class_list":["post-12787","post","type-post","status-publish","format-standard","hentry","category-android","category-cyber-security","category-cyber-security-news","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12787"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=12787"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/12787\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=12787"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=12787"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=12787"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}