PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access

Discover more Penetration testing service Cyberattack incident response Malware analysis platform HomeAndroid PoC Exploit Released for Android Zero-Click Vulnerability that Enables Remote Shell Access By Abinaya May 12, 2026 In a chilling blow to mobile security, Google’s May 2026 Android Security Bulletin has unmasked a catastrophic zero-click vulnerability lurking within the core Android System. The CVE-2026-0073 flaw in Android’s adbd daemon lets nearby threat actors remotely gain full shell access without victim interaction. Unearthed by BARGHEST security researchers, this critical cryptographic breakdown completely shatters Android’s debugging trust model, transforming a standard developer tool into an invisible, weaponized backdoor. Android Zero-Click PoC Released The foundation of CVE-2026-0073 is a cryptographic logic error in the adbd_tls_verify_cert function of the auth.cpp file. Modern wireless ADB connections rely on mutual TLS authentication to ensure that a connecting client is a previously paired and trusted host. During this handshake, the system uses the EVP_PKEY_cmp API to compare the client’s certificate public key against authorized RSA keys stored on the device. If an attacker supplies a non-RSA certificate, such as EC P-256 or Ed25519, the comparison API returns -1 to flag a cross-algorithm mismatch. Because the underlying C++ implementation treats all non-zero integers as a boolean success, the daemon incorrectly validates the attacker’s mismatched certificate as a trusted host key. While the logic flaw is straightforward, weaponizing it requires precise manipulation of protocol. An attacker must first establish a TCP connection, successfully negotiate the STLS upgrade sequence, and then supply the malicious cross-algorithm certificate. Once this authentication gate is bypassed, the attacker can resume ADB framing inside the encrypted tunnel to open a remote shell. This grants the attacker execution privileges as the shell user, allowing them to bypass normal application sandboxes. Consequently, threat actors can extract sensitive personal information, abuse package management to silently install malicious applications, and manipulate system settings to stage further device exploitation. According to Barghest Research, the vulnerability mainly affects Android 14, 15, and 16 devices under specific state conditions. Successful exploitation demands the following prerequisites: Developer options are actively enabled on the target device. Wireless debugging, or ADB over TCP, is exposed on the network. The device trust store contains at least one previously paired RSA host key. The attacker has adjacent network reachability to the device’s ADB TCP port 5555. Device users and enterprise administrators must apply the May 2026 security patch immediately to resolve this critical flaw. To proactively reduce attack surfaces, users should turn off wireless debugging on untrusted networks and revoke authorizations for unknown debugging hosts. Turning off Developer options entirely when not in use is highly recommended to protect against automated local network exploitation attempts. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Abinayahttps://cybersecuritynews.com/ Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space. Trending News Fake Moustache Bypasses Age Verification System Raising Online Safety Act Concerns Let’s Encrypt Halts Certificate Issuance After Cross-Signed Root Certificate Incident New Infostealer Campaign Uses GitHub Releases for Payload Hosting and Evasion Mozilla Patches 423 Firefox Vulnerabilities with Claude Mythos and Other AI Models Education Sector Under Attack From State Espionage, Spear-Phishing, and Supply Chain Attacks Latest News Cyber Security News OpenAI Daybreak Automates Detects and Fix Vulnerabilities Automatically Cyber Security New BitUnlocker Downgrade Attack on Windows 11 Allows Access to Encrypted Disks in 5 Minutes Cyber Security News Hackers Abuse CVE-2026-41940 to Take Over cPanel and WHM Servers Cyber Security 84 TanStack npm Packages Hacked in Ongoing Supply-Chain Attack Targeting CI Credentials Cyber Security News Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes