Multiple vulnerabilities in Samsung products
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 7 |
| CVE-ID | CVE-2025-21037 CVE-2025-21040 CVE-2025-21036 CVE-2025-21035 CVE-2025-21038 CVE-2025-21039 CVE-2025-21041 |
| CWE-ID | CWE-284 CWE-925 CWE-922 |
| Exploitation vector | Local |
| Public exploit | N/A |
| Vulnerable software |
Samsung Notes Mobile applications / Apps for mobile phones SAssistant Mobile applications / Apps for mobile phones Samsung Calendar Mobile applications / Apps for mobile phones Samsung Secure Folder Mobile applications / Apps for mobile phones |
| Vendor | Samsung |
Security Bulletin
This security bulletin contains information about 7 vulnerabilities.
1) Improper access control
EUVDB-ID: #VU114743
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21037
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. An attacker with physical access can bypass implemented security restrictions and gain access to data across multiple user profiles.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSamsung Notes: before 4.4.30.63
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Improper Verification of Intent by Broadcast Receiver
EUVDB-ID: #VU114744
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21040
CWE-ID:
CWE-925 - Improper Verification of Intent by Broadcast Receiver
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper verification of intent by ExternalBroadcastReceiver. A local attacker can modify itinerary information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSAssistant: before 9.3.2
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Improper access control
EUVDB-ID: #VU114745
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21036
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and gain unauthorized access to exported note files.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSamsung Notes: before 4.4.30.63
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
4) Improper access control
EUVDB-ID: #VU114746
Risk: Low
CVSSv4.0: 1.7 [CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21035
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. An attacker with physical access can bypass implemented security restrictions and gain unauthorized access to data across multiple user profiles.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSamsung Calendar: before 12.5.06.5
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. The attacker should have physical access to the system in order to successfully exploit this vulnerability.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
5) Improper Verification of Intent by Broadcast Receiver
EUVDB-ID: #VU114747
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21038
CWE-ID:
CWE-925 - Improper Verification of Intent by Broadcast Receiver
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper verification of intent by SamsungExceptionalBroadcastReceiver. A local attacker can modify itinerary information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSAssistant: before 9.3.2
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
6) Improper Verification of Intent by Broadcast Receiver
EUVDB-ID: #VU114748
Risk: Low
CVSSv4.0: 1.2 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21039
CWE-ID:
CWE-925 - Improper Verification of Intent by Broadcast Receiver
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper verification of intent by SystemExceptionalBroadcastReceiver. A local attacker can modify itinerary information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSAssistant: before 9.3.2
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
7) Insecure Storage of Sensitive Information
EUVDB-ID: #VU114749
Risk: Low
CVSSv4.0: 4.6 [CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2025-21041
CWE-ID:
CWE-922 - Insecure Storage of Sensitive Information
Exploit availability: No
DescriptionThe vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to insecure storage of sensitive information. A local attacker can gain access to sensitive information on the system.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSamsung Secure Folder: before Android 16
CPE2.3 External linkshttps://security.samsungmobile.com/serviceWeb.smsb?year=2025&month=09
Q & A
Can this vulnerability be exploited remotely?
No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.
How the attacker can exploit this vulnerability?
The attacker would have to trick the victim to perform certain actions on the device.
The attacker would have to login to the system and perform certain actions in order to exploit this vulnerability.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
