PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5554 Oneplus CVE debrief

CVE-2017-5554 is a OnePlus ABOOT issue in OxygenOS on OnePlus 3 and 3T devices before 4.0.2. If an attacker can get the device into fastboot mode—either physically during boot or through ADB access—they can issue a fastboot command that switches SELinux into permissive mode, significantly reducing Android security controls.

Vendor
Oneplus
Product
CVE-2017-5554
CVSS
HIGH 8.1
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-23
Original CVE updated
2026-05-13
Advisory published
2017-01-23
Advisory updated
2026-05-13

Who should care

OnePlus 3 and 3T owners, mobile device administrators, enterprise mobility teams, and anyone responsible for securing devices that may be physically accessible or exposed to ADB access.

Technical summary

The vulnerability is tied to bootloader/fastboot handling in ABOOT. The published description says an attacker can reboot the device into fastboot without authentication, using either the physical Volume Up boot path or the adb reboot bootloader command when ADB is available. Once in fastboot, the attacker can run fastboot oem selinux permissive, which places the platform SELinux policy into permissive mode and weakens the system’s security enforcement. NVD maps the issue to CWE-287 and lists affected OxygenOS ranges ending at 3.2.8 and 3.5.4 for the referenced device families.

Defensive priority

High for any environment where OnePlus 3/3T devices may still run vulnerable OxygenOS builds and where physical access or ADB exposure is possible.

Recommended defensive actions

  • Upgrade OnePlus 3/3T devices to OxygenOS 4.0.2 or later, as identified in the vulnerability description.
  • Restrict or disable ADB access on production devices and treat any enabled developer access as sensitive.
  • Apply physical security controls to prevent unauthorized access during boot and to prevent unattended device handling.
  • Verify device policy settings after updates to ensure SELinux remains enforcing.
  • Inventory OnePlus 3 and 3T devices and prioritize remediation for any units running OxygenOS versions at or below the affected ranges.

Evidence notes

The issue description states that an unauthenticated reboot into fastboot is possible through physical boot interaction or via ADB, and that fastboot oem selinux permissive can then weaken SELinux. The NVD record identifies the affected software as OnePlus OxygenOS through version 3.2.8 and 3.5.4, and cites CWE-287. The CVSS 3.0 vector in NVD is AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, though the narrative attack paths described in the source require local/physical or ADB access.

Official resources

CVE-2017-5554 was published on 2017-01-23. The supplied NVD record was last modified on 2026-05-13. The references in the source metadata point to advisories dated 2017-01-11, consistent with pre-publication reporting.