SB2025090311 - Multiple vulnerabilities in Samsung products
Published: September 3, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 7 vulnerabilities.
1) Improper access control (CVE-ID: CVE-2025-21037)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. An attacker with physical access can bypass implemented security restrictions and gain access to data across multiple user profiles.
2) Improper Verification of Intent by Broadcast Receiver (CVE-ID: CVE-2025-21040)
CWE-ID: CWE-925 - Improper Verification of Intent by Broadcast Receiver
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper verification of intent by ExternalBroadcastReceiver. A local attacker can modify itinerary information.
3) Improper access control (CVE-ID: CVE-2025-21036)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. A local user can bypass implemented security restrictions and gain unauthorized access to exported note files.
4) Improper access control (CVE-ID: CVE-2025-21035)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to improper access restrictions. An attacker with physical access can bypass implemented security restrictions and gain unauthorized access to data across multiple user profiles.
5) Improper Verification of Intent by Broadcast Receiver (CVE-ID: CVE-2025-21038)
CWE-ID: CWE-925 - Improper Verification of Intent by Broadcast Receiver
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper verification of intent by SamsungExceptionalBroadcastReceiver. A local attacker can modify itinerary information.
6) Improper Verification of Intent by Broadcast Receiver (CVE-ID: CVE-2025-21039)
CWE-ID: CWE-925 - Improper Verification of Intent by Broadcast Receiver
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to improper verification of intent by SystemExceptionalBroadcastReceiver. A local attacker can modify itinerary information.
7) Insecure Storage of Sensitive Information (CVE-ID: CVE-2025-21041)
CWE-ID: CWE-922 - Insecure Storage of Sensitive Information
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local attacker to compromise the target system.
The vulnerability exists due to insecure storage of sensitive information. A local attacker can gain access to sensitive information on the system.
Remediation
Install update from vendor's website.