CVE-2026-30290: InTouch Contacts & Caller ID RCE Flaw

CVE-2026-30290 Overview

An arbitrary file overwrite vulnerability exists in InTouch Contacts & Caller ID APP version 6.38.1. This flaw allows attackers to overwrite critical internal files via the file import process, potentially leading to arbitrary code execution or information exposure. The vulnerability is classified as CWE-22 (Path Traversal), indicating improper limitation of a pathname to a restricted directory.

Critical Impact

Successful exploitation allows attackers to overwrite critical application files through the import functionality, potentially achieving code execution or exposing sensitive user data stored within the application.

Affected Products

• InTouch Contacts & Caller ID APP v6.38.1

Discovery Timeline

• 2026-03-31 - CVE-2026-30290 published to NVD
• 2026-04-02 - Last updated in NVD database

Technical Details for CVE-2026-30290

Vulnerability Analysis

This vulnerability stems from insufficient input validation during the file import process within the InTouch Contacts & Caller ID mobile application. The application fails to properly sanitize user-supplied file paths, allowing an attacker to craft malicious import files containing path traversal sequences (such as ../ or similar constructs) to escape the intended directory structure.

When a user imports a seemingly legitimate contact file, the application processes the embedded file paths without adequate validation. This enables an attacker to target files outside the application's designated storage directory, potentially overwriting configuration files, shared libraries, or other critical application components.

The local attack vector indicates that exploitation requires either physical access to the device or the ability to convince a user to import a malicious file. Once the malicious import file is processed, the attacker can achieve arbitrary code execution by overwriting executable components or expose sensitive information by manipulating data files.

Root Cause

The root cause of CVE-2026-30290 is a path traversal vulnerability (CWE-22) in the file import handler. The application does not implement proper path canonicalization or validate that destination paths remain within the application's sandbox. This allows directory traversal sequences embedded in import file metadata to be processed literally, enabling file writes to arbitrary locations accessible by the application's permissions.

Attack Vector

The attack requires local access and exploits the file import functionality of the InTouch Contacts & Caller ID application. An attacker crafts a malicious import file (such as a VCF or backup file) containing path traversal sequences in the filename or path fields. When a user imports this file through the application's normal import workflow, the traversal sequences cause the application to write data outside its intended directory, overwriting target files.

The vulnerability can be exploited without user authentication or elevated privileges. Attack scenarios include:

1. Social engineering users to import a malicious contact backup file
2. Distributing malicious import files through file sharing platforms
3. Exploiting automatic import features if the application monitors specific directories

For detailed technical information, refer to the GitHub Issue #19 Discussion and the SecSys Fudan Research Site.

Detection Methods for CVE-2026-30290

Indicators of Compromise

• Unexpected modifications to application configuration files or shared libraries
• Presence of files with path traversal sequences (../, ..\\) in import logs or file system audit trails
• Application crashes or unexpected behavior following file import operations
• Modified timestamps on critical system or application files coinciding with import activity

Detection Strategies

• Monitor file system activity for write operations targeting paths outside the application's designated data directory during import operations
• Implement file integrity monitoring on critical application components to detect unauthorized modifications
• Analyze import file contents for path traversal sequences before processing
• Review application logs for import operations involving suspicious file paths

Monitoring Recommendations

• Enable verbose logging for the InTouch Contacts & Caller ID application to capture import operation details
• Deploy mobile threat defense solutions capable of detecting path traversal exploitation attempts
• Implement behavioral monitoring to alert on unexpected file modifications by the application
• Monitor for signs of code execution anomalies following import operations

How to Mitigate CVE-2026-30290

Immediate Actions Required

• Avoid importing contact files or backups from untrusted or unknown sources
• Only import files directly obtained from trusted contacts or official backup processes
• Consider temporarily disabling file import functionality until a patch is available
• Review recently imported files and verify application integrity

Patch Information

At the time of publication, no official vendor patch has been released for CVE-2026-30290. Users should monitor the InTouch App official website for security updates and apply any patches immediately upon release. Additional technical details are available through the GitHub Issue #19 Discussion.

Workarounds

• Restrict import functionality to files from verified, trusted sources only
• Implement organizational policies prohibiting import of contact files from unknown origins
• Use mobile device management (MDM) solutions to control application data import capabilities where possible
• Maintain regular backups of device and application data to enable recovery if file corruption occurs
• Consider using alternative contact management applications until a security update is released

Users should exercise heightened caution with any file import operations in the affected application version until an official patch is available from the vendor.