CVE-2019-16256
Published: 12 September 2019
Summary
CVE-2019-16256 is a critical-severity an unspecified weakness vulnerability in Trustedconnectivityalliance S\@T Browser. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and AC-3 (Access Enforcement).
Deeper analysis
Some Samsung devices include the SIMalliance Toolbox Browser (also known as S@T Browser) on the UICC. This component is vulnerable to remote exploitation via SIM Toolkit (STK) instructions delivered in SMS messages, enabling attackers to retrieve location and IMEI data or perform other actions. The issue is tracked as CVE-2019-16256 and is also known as Simjacker, with a CVSS 3.1 base score of 9.8.
Remote attackers with no authentication or user interaction required can send crafted SMS messages containing STK commands. Successful exploitation allows retrieval of sensitive device and subscriber information or execution of arbitrary commands on the affected UICC.
The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming real-world exploitation activity. Public references from Adaptive Mobile describe the Simjacker technique in detail but do not specify vendor patches or configuration mitigations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-7062
Vulnerability details
Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an…
more
SMS message, aka Simjacker.
- CWE(s)
- KEV Date Added
- 03 November 2021
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces information flow rules that would block unauthorized STK commands delivered via SMS from reaching the UICC and accessing location/IMEI data or executing actions.
Requires explicit enforcement of access rules before any subject (including SMS-delivered STK instructions) can read sensitive attributes or invoke UICC commands.
Boundary-protection mechanisms can inspect, filter, or log SMS traffic carrying STK payloads before they reach the device UICC.