OPPO Clone Phone Vulnerability Leaks Sensitive Data via Weak WiFi Hotspot

A newly disclosed security vulnerability in OPPO’s widely used Clone Phone app has raised significant concerns over user privacy, as it exposes sensitive data through a weakly secured WiFi hotspot.

The flaw, cataloged as CVE-2025-27387, has been rated as high severity and was published in the National Vulnerability Database and GitHub Advisory Database within the past 24 hours.

CVE-2025-27387: Technical Details and Mitigation

The OPPO Clone Phone app is designed to facilitate seamless data transfer between devices by creating a temporary WiFi hotspot.

However, security researchers have found that the app employs a weak password for this hotspot, making it susceptible to unauthorized access by nearby attackers. 

This vulnerability allows malicious actors within WiFi range to intercept and retrieve files being transferred, potentially exposing personal photos, contacts, messages, and other sensitive information.

The vulnerability does not require any user interaction or special privileges to exploit, and the attack complexity is considered low.

According to the Common Vulnerability Scoring System (CVSS v3.1), the flaw has a base score of 7.4 out of 10, highlighting its critical impact on confidentiality while not affecting data integrity or system availability. 

The attack vector is classified as “adjacent,” meaning an attacker must be within WiFi range but does not need to be on the same network or possess any credentials.

Security analysts warn that this type of weakness is not unique to OPPO. Academic studies have previously identified similar vulnerabilities in WiFi hotspot-based data clone services across multiple Android manufacturers, noting that weak authentication and encryption practices can lead to widespread information disclosure.

 In OPPO’s case, the use of a predictable or easily guessable password for the hotspot is the root cause, making it trivial for attackers to join the network and capture data in transit.

• CVE ID: CVE-2025-27387
• Severity: High (CVSS 7.4)

OPPO has acknowledged the vulnerability and recommends users update the Clone Phone app to the latest version as soon as a patch becomes available. 

Users are also advised to avoid using the data transfer feature in public or untrusted environments and to manually set a strong, unique password for any WiFi hotspot created during device migration.

This incident underscores the importance of robust security practices in device migration tools and the need for manufacturers to implement strong authentication and encryption by default.

As mobile users increasingly rely on such utilities for personal data transfer, even a temporary lapse in security can have lasting privacy consequences.

Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates