BlueStacks fails to restrict access permissions for ADB

  Impact of Vulnerability BlueStacks fails to restrict access permissions
  CVE Numbers  CVE-2018-0701
  Severity Rating High
  CVSS v3 Base / Temporal Scores: Base: 6.3
  Recommendations Install or update to latest BlueStacks App Player
  Affected Versions Windows: BlueStacks 3 and above
MacOS: BlueStacks 2 and above
  Location of Updated Software


BlueStacks employs Android running in a virtual machine (VM) to enable Android apps to run on
Windows or MacOS.
When BlueStacks is installed and activated, BlueStacks adb connection debug port 5555/TCP
waits for a connection request.
If the terminal which installed/activated BlueStacks is internet reachable, an attacker can install
malicious application by using package manager because adb connect does not require
authentication and lets a shell access the BlueStacks' VM environment

● CVE-2018-0701: BlueStacks fails to restrict access permissions.



For Windows

Download the product from
Install the updated Bluestacks Player using the usual update path.

For Mac

Please see attached the link of the mechanism of how to block the affected port.



● Do not connect BlueStacks installed machine to the internet directly.
● Block access from outside to 5555/TCP.


Masaki Kubo and Yoshiki Mori of Cybersecurity Laboratory,
National Institute of Information and Communications Technology

CVSS Scoring

Base Score 6.3
Attack Vector (AV) Advanced (A)
Attack Complexity (AC) Low (L)
Privileges Required (PR None (N)
User Interaction (UI) None (N)
Scope (S) Unchanged (U)
Confidentiality (C) Low (L)
Integrity (I) Low (L)
Availability (A) Low (L)

Was this article helpful?
11 out of 18 found this helpful
Reach out to us on Reddit (Join Reddit) or Discord (Join Discord) or at with your questions.