Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-67264

CVE-2025-67264: Doogee Note59 RCE Vulnerability

CVE-2025-67264 is a remote code execution flaw in Doogee Note59, Note59 Pro, and Note59 Pro+ devices that allows local attackers to execute arbitrary code via ADB shell. This post covers technical details, impact, and mitigation.

Published:

CVE-2025-67264 Overview

An OS command injection vulnerability exists in the com.sprd.engineermode component affecting multiple Doogee smartphone models. This vulnerability allows a local attacker to execute arbitrary code and escalate privileges via the EngineerMode ADB shell. Notably, this vulnerability represents an incomplete patch for CVE-2025-31710, indicating the original fix was insufficient in addressing the underlying security issue.

Critical Impact

Local attackers can achieve arbitrary code execution and privilege escalation on affected Doogee devices through the EngineerMode ADB shell interface.

Affected Products

  • Doogee Note59
  • Doogee Note59 Pro
  • Doogee Note59 Pro+

Discovery Timeline

  • 2026-01-23 - CVE-2025-67264 published to NVD
  • 2026-01-26 - Last updated in NVD database

Technical Details for CVE-2025-67264

Vulnerability Analysis

This OS command injection vulnerability (CWE-78) resides in the com.sprd.engineermode component, a diagnostic and engineering utility commonly included in devices using Unisoc (formerly Spreadtrum) chipsets. The vulnerability allows injection of arbitrary OS commands through the EngineerMode interface when accessed via ADB (Android Debug Bridge).

The root issue stems from an incomplete patch for the previously disclosed CVE-2025-31710. While the original vulnerability received a security update, the fix failed to adequately sanitize or validate all user-controllable input paths, leaving an exploitable attack surface. This is a common pattern where patch bypass vulnerabilities emerge due to insufficient coverage of all vulnerable code paths or edge cases in input handling.

Root Cause

The vulnerability originates from improper neutralization of special elements used in OS commands (CWE-78). The com.sprd.engineermode component fails to properly sanitize user input before incorporating it into system commands. The incomplete remediation of CVE-2025-31710 suggests that while some input validation was added, additional command injection vectors remained unpatched, allowing attackers to bypass the implemented security controls.

Attack Vector

The attack requires local access to the device, typically through ADB shell connectivity. An attacker with ADB access can interact with the EngineerMode component to inject malicious commands that execute with elevated privileges. The local attack vector requirement means physical access or prior compromise enabling ADB connectivity is necessary, though once achieved, the attacker can leverage this vulnerability for full privilege escalation.

The EngineerMode component, designed for device diagnostics and testing, inherently requires elevated permissions to perform its intended functions. By exploiting the command injection flaw, attackers can hijack these elevated permissions to execute arbitrary code with system-level access.

Detection Methods for CVE-2025-67264

Indicators of Compromise

  • Unexpected ADB connections or sessions on affected Doogee devices
  • Unusual process execution originating from the com.sprd.engineermode component
  • Log entries showing command execution anomalies in engineering mode services
  • Privilege escalation events or unauthorized root access attempts

Detection Strategies

  • Monitor ADB connection logs for unauthorized access attempts to affected devices
  • Implement application-level logging to track EngineerMode component activity
  • Deploy endpoint detection solutions capable of monitoring Android process execution chains
  • Alert on unexpected shell command execution patterns from engineering components

Monitoring Recommendations

  • Enable verbose logging on affected devices when feasible for forensic analysis
  • Monitor device management platforms for signs of compromised Doogee devices
  • Review enterprise mobile device management (MDM) logs for anomalous ADB activity
  • Establish baselines for normal EngineerMode component behavior to detect deviations

How to Mitigate CVE-2025-67264

Immediate Actions Required

  • Disable ADB debugging on affected Doogee devices in production environments
  • Restrict physical access to devices to prevent unauthorized ADB connections
  • Review and audit any devices that may have been exposed to potential exploitation
  • Contact Doogee support for firmware update availability and timeline

Patch Information

At the time of publication, users should check the Doogee Official Website for security updates addressing this vulnerability. Additional technical documentation is available on the GitHub CVE-2025-67264 Documentation page. Given this vulnerability represents a patch bypass for CVE-2025-31710, any updates should be verified to comprehensively address all command injection vectors.

Workarounds

  • Disable USB debugging (ADB) on all affected devices when not actively required for development
  • Enable "Revoke USB debugging authorizations" to remove previously authorized computers
  • Implement device-level restrictions preventing unauthorized USB connections
  • Consider disabling or restricting the com.sprd.engineermode component if enterprise device management capabilities allow
bash
# Disable ADB debugging on Android devices
adb shell settings put global adb_enabled 0

# Verify ADB is disabled
adb shell settings get global adb_enabled
# Expected output: 0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.