Improper Authorization Vulnerability in Samsung Members App
CVE-2021-25374

8.6HIGH

Key Information:

Vendor: Samsung
Status: Samsung Members
Vendor: CVE Published:; 9 April 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An improper authorization vulnerability exists in the Samsung Members app, specifically affecting the 'samsungrewards' scheme for deeplink functionality. This weakness allows remote attackers to gain unauthorized access to sensitive user data linked to Samsung Accounts, particularly in versions 2.4.83.9 on Android O (8.1) and 3.9.00.9 on Android P (9.0) and later. This vulnerability poses significant risks to user data security and privacy.

Affected Version(s)

Samsung Members Android O(8.x) and below < 2.4.83.9

Samsung Members Android P(9.0) and above < 3.9.00.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-25374_Samsung-Account-Access
Created by WithSecureLabs

References

https://security.samsungmobile.com/

x_refsource_CONFIRM

https://security.samsungmobile.com/serviceWeb.smsb

x_refsource_CONFIRM

EPSS Score

7% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Apr 10, 2021
👾
Exploit known to exist
Apr 10, 2021
Vulnerability published
Apr 9, 2021
Vulnerability Reserved
Jan 19, 2021