CVE-2021-25374

8.6HIGH

Key Information:

Vendor: Samsung
Status: Samsung Members
Vendor: CVE Published:; 9 April 2021

Badges

👾 Exploit Exists🟡 Public PoC

Summary

An improper authorization vulnerability in Samsung Members "samsungrewards" scheme for deeplink in versions 2.4.83.9 in Android O(8.1) and below, and 3.9.00.9 in Android P(9.0) and above allows remote attackers to access a user data related with Samsung Account.

Affected Version(s)

Samsung Members Android O(8.x) and below < 2.4.83.9

Samsung Members Android P(9.0) and above < 3.9.00.9

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2021-25374_Samsung-Account-Access
Created by WithSecureLabs

References

https://security.samsungmobile.com/

x_refsource_CONFIRM

https://security.samsungmobile.com/serviceWeb.smsb

x_refsource_CONFIRM

CVSS V3.1

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Timeline

🟡
Public PoC available
Apr 10, 2021
👾
Exploit known to exist
Apr 10, 2021
Vulnerability published
Apr 9, 2021
Vulnerability Reserved
Jan 19, 2021