CVE-2018-14993

Name of the Vulnerable Software and Affected Versions ASUS Zenfone V Live version 7.1.1 ASUS Zenfone 3 Max version 7.0

Description The pre-installed platform app com.asus.splendidcommandagent contains an exported service named com.asus.splendidcommandagent.SplendidCommandAgentService that allows any app co-located on the device to supply arbitrary commands to be executed as the system user. This can enable a third-party app to perform various malicious actions, such as video recording the user's screen, factory resetting the device, obtaining the user's notifications, reading the logcat logs, injecting events in the Graphical User Interface (GUI), changing the default Input Method Editor (IME) with one contained within the attacking app that contains keylogging functionality, and obtaining the user's text messages.

Recommendations For ASUS Zenfone V Live version 7.1.1: Consider disabling the com.asus.splendidcommandagent app or restricting its functionality until a patch is available. For ASUS Zenfone 3 Max version 7.0: Consider disabling the com.asus.splendidcommandagent app or restricting its functionality until a patch is available. As a temporary workaround, consider restricting access to the com.asus.splendidcommandagent.SplendidCommandAgentService service to minimize the risk of exploitation.