CVE-2026-5804: Motorola's Factory Test App Leaves a Writable File Descriptor Wide Open

Your Motorola Phone Has a Pre-Installed Backdoor It Doesn't Need

Here's something that should make you uncomfortable: a component that was only ever meant to be used on the assembly line — Motorola's Factory Test app — ships on consumer devices with a vulnerability that lets any app on the phone write to a privileged file descriptor. No permissions dialog. No user interaction. Just a quiet path to escalation that's been sitting there since the device left the factory.

CVE-2026-5804 landed with a CVSS score of 8.4 HIGH, and it's the kind of bug that reminds you why pre-installed OEM bloatware is a systemic risk. If you're carrying a Motorola device, or you're responsible for a fleet of them, pay attention.

The vulnerability is in com.motorola.motocit — a package most users will never see, never open, and never think about. Which is exactly what makes it dangerous.

What Happened

The Motorola Factory Test component (com.motorola.motocit) is a diagnostic app used during manufacturing to verify hardware functionality — things like testing the display, sensors, radios, and storage. It's standard practice for OEMs to include these tools, but they're supposed to be locked down or removed before the device reaches consumers.

In this case, the app contained a reference to a writable file descriptor stored in external storage. That's a path any application on the device can access, regardless of its permission level. The authentication mechanism that should gate access to this descriptor is either missing or improperly implemented — hence the "improper authentication" classification.

The CVE was published on 2026-05-19 and affects Motorola devices shipping with this component. Specific affected firmware versions haven't been fully enumerated in the NVD listing yet, but the component is common across multiple Motorola device lines.

The attack vector is local — an attacker needs code execution on the device, which in practice means a malicious app installed from any source. Given that the target is a file descriptor in external storage, the bar for exploitation is remarkably low.

Technical Deep-Dive: How the Attack Works

Let's break down what's happening under the hood.

Android's security model relies heavily on app sandboxing and permission boundaries. External storage (/sdcard/ or /storage/emulated/0/) is a shared space — prior to Android 11's scoped storage enforcement, any app with READ_EXTERNAL_STORAGE or WRITE_EXTERNAL_STORAGE could access files there. Even with scoped storage, certain paths remain accessible depending on how the OEM configures the component.

The Factory Test app appears to write or reference a file descriptor to a known path in external storage. A simplified version of the vulnerable pattern looks something like this:

// Vulnerable pattern in com.motorola.motocit
public class FactoryTestService extends Service {
    private static final String FD_PATH = "/sdcard/.motocit/diag_fd";

    @Override
    public void onCreate() {
        super.onCreate();
        // Creates a writable FD reference accessible from external storage
        ParcelFileDescriptor fd = ParcelFileDescriptor.open(
            new File(FD_PATH),
            ParcelFileDescriptor.MODE_READ_WRITE | ParcelFileDescriptor.MODE_CREATE
        );
        // No authentication check on who can read/write this reference
        cacheDescriptor(fd);
    }
}

The critical issue: there's no caller verification. The app doesn't check the UID, package signature, or any token before exposing this descriptor. Any process that can read the external storage path can obtain a handle to a file descriptor that operates with the Factory Test app's privileges.

An exploit app doesn't need to do anything sophisticated:

// Exploit: any app on the device can do this
public class ExploitActivity extends Activity {
    @Override
    protected void onCreate(Bundle savedInstanceState) {
        super.onCreate(savedInstanceState);

        File target = new File("/sdcard/.motocit/diag_fd");
        if (target.exists() && target.canWrite()) {
            // Write arbitrary data through the privileged descriptor
            try (FileOutputStream fos = new FileOutputStream(target)) {
                fos.write(maliciousPayload);
                // This write executes in the context of motocit's permissions
            } catch (IOException e) {
                e.printStackTrace();
            }
        }
    }
}

The root cause is a combination of two failures: storing a privileged resource in a world-accessible location, and failing to authenticate access to that resource. It's a textbook confused deputy problem — the Factory Test app acts on behalf of an unauthorized caller because it never asks "who are you and should you be doing this?"

What makes this particularly nasty is that com.motorola.motocit likely runs with elevated privileges (system-level or at minimum a platform signing key), since it needs hardware access for diagnostics. Any write through its descriptor inherits those privileges.

Impact: Who Should Be Worried

This affects every Motorola device that ships with com.motorola.motocit installed and active. That's a broad swath of their consumer and enterprise lineup. The component is typically not removable without root access since it's a system app.

The practical impact: any malicious app — even one with zero dangerous permissions — can potentially escalate to system-level write access. In an enterprise context, this means a single sideloaded APK or a compromised app from the Play Store could pivot from "harmless" to "full device compromise" without triggering any security warnings.

The CVSS 8.4 score reflects the low attack complexity and the lack of required privileges. The only limiting factor is that it requires local access (the attacker needs an app on the device), which keeps it from being a 9+.

What To Do About It Right Now

First, check if you're affected. On any Motorola device, run:

adb shell pm list packages | grep motocit

If you see package:com.motorola.motocit, you're carrying the vulnerable component.

For immediate mitigation, you can disable the package (this requires ADB access but not root):

adb shell pm disable-user --user 0 com.motorola.motocit

This won't uninstall it, but it prevents the component from running and exposing the descriptor. Verify it's disabled:

adb shell pm list packages -d | grep motocit

Warning: Disabling system packages can occasionally cause issues with OTA updates. If you're managing a device fleet, test this on a subset first before rolling it out broadly.

For enterprise MDM administrators, push a compliance policy that either disables this package or flags devices where it's active. If your MDM supports app restriction profiles, block com.motorola.motocit from executing.

Watch for a firmware update from Motorola that either patches the authentication logic or removes the component from consumer builds entirely. The responsible fix is straightforward — validate the caller's identity before granting access to the descriptor:

// Fixed pattern: verify caller before exposing FD
private boolean isAuthorizedCaller() {
    int callingUid = Binder.getCallingUid();
    String[] packages = getPackageManager().getPackagesForUid(callingUid);
    // Only allow access from signed system components
    for (String pkg : packages) {
        if (isSystemSignedPackage(pkg)) {
            return true;
        }
    }
    return false;
}

The Bigger Picture

This is the same story we keep seeing with OEM pre-installed software: components built for a controlled environment (the factory floor) ship to millions of consumers with zero hardening. The factory test app doesn't need to be on your phone. It definitely doesn't need to be running. And it absolutely shouldn't be exposing writable file descriptors to shared storage without authentication.

Every pre-installed system app is attack surface you didn't ask for and can't easily remove. If you're evaluating devices for enterprise deployment, audit the system partition. Run pm list packages -s and ask yourself: does each of these need to be here? For most OEM diagnostic tools, the answer is no — and CVE-2026-5804 is what happens when nobody asks that question until it's too late.