Telpo MDM Insecure Data Storage Vulnerability Allowing Unauthorized Access to Administrator Functions and MQTT Server Interception

A vulnerability exists in Telpo MDM versions 1.4.6 through 1.4.9 for Android, where sensitive administrator credentials and MQTT server connection details (IP and port) are stored in plaintext within log files on the device's external storage. This exposure allows attackers with access to these logs to authenticate to the MDM web platform and perform administrative tasks such as shutting down devices, performing factory resets, or installing software. Additionally, attackers can connect to the MQTT server to intercept or publish device data.

Impact

Exploitation of this vulnerability allows for unauthorized access to the MDM web platform with administrative privileges, enabling a range of administrative operations on managed devices. Furthermore, it permits unauthorized interception or publication of device data via the compromised MQTT server connection.