high advisory May 19, 2026

CVE-2026-5804 - Motorola Factory Test Improper Authentication Vulnerability

The Motorola Factory Test component (com.motorola.motocit) contains an improper authentication vulnerability, allowing a local attacker to bypass permission checks and access protected device settings by leveraging a writable file descriptor in external storage to open a TCP server.

CVE-2026-5804 describes an improper authentication vulnerability in the Motorola Factory Test component (com.motorola.motocit), which is a component present on Motorola (now Lenovo) Android devices. The vulnerability stems from the application containing a reference to a writable file descriptor in external storage. This flaw allows a malicious third-party application, running on the same device, to exploit this file descriptor to open a TCP server. This could expose sensitive permissions and data, enabling a local attacker to bypass permission checks and ultimately access protected device settings. This vulnerability poses a significant risk to device security and user privacy.

Attack Chain

Attacker installs a malicious application on the Android device.
The malicious application identifies the writable file descriptor associated with the Motorola Factory Test component in external storage.
The malicious application leverages the writable file descriptor to open a TCP server.
The TCP server allows the malicious application to intercept communications intended for the Motorola Factory Test component.
The malicious application bypasses authentication checks due to the exposed permissions.
The malicious application gains unauthorized access to protected device settings.
The attacker modifies sensitive device configurations, potentially compromising device security and user data.

Impact

Successful exploitation of CVE-2026-5804 allows a local attacker to bypass permission checks and access protected device settings on affected Motorola devices. This could lead to unauthorized modification of device configurations, exposure of sensitive data, and overall compromise of device security. The vulnerability has a CVSS v3.1 base score of 8.4, indicating a high severity.

Recommendation

Apply the security update provided by Lenovo as described in the Motorola support article to patch CVE-2026-5804 (https://en-us.support.motorola.com/app/answers/detail/a_id/192534).
Deploy the Sigma rule provided below to detect applications attempting to access the Motorola Factory Test component via TCP connections.

Detection coverage 2

Detect TCP Connection to Motorola Factory Test Component

medium

Detects applications attempting to establish TCP connections related to the Motorola Factory Test component, potentially indicating exploitation of CVE-2026-5804.

sigma tactics: privilege_escalation techniques: T1068 sources: network_connection, android

Detect Access to Writable File Descriptor of Motorola Factory Test

high

Detects processes attempting to access writable file descriptors associated with the Motorola Factory Test component, indicative of potential unauthorized access.

sigma tactics: privilege_escalation techniques: T1547.004 sources: file_event, android

Detection queries are available on the platform. Get full rules →