Cyber Resilience

CVE-2019-16256

CriticalCISA KEVActive ExploitationEUVD ExploitedPublic PoC

Published: 12 September 2019

Published
12 September 2019
Modified
12 November 2025
KEV Added
03 November 2021
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6119 98.3th percentile
Risk Priority 76 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-16256 is a critical-severity an unspecified weakness vulnerability in Trustedconnectivityalliance S\@T Browser. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and AC-3 (Access Enforcement).

Deeper analysis

Some Samsung devices include the SIMalliance Toolbox Browser (also known as S@T Browser) on the UICC. This component is vulnerable to remote exploitation via SIM Toolkit (STK) instructions delivered in SMS messages, enabling attackers to retrieve location and IMEI data or perform other actions. The issue is tracked as CVE-2019-16256 and is also known as Simjacker, with a CVSS 3.1 base score of 9.8.

Remote attackers with no authentication or user interaction required can send crafted SMS messages containing STK commands. Successful exploitation allows retrieval of sensitive device and subscriber information or execution of arbitrary commands on the affected UICC.

The vulnerability appears in CISA's catalog of known exploited vulnerabilities, confirming real-world exploitation activity. Public references from Adaptive Mobile describe the Simjacker technique in detail but do not specify vendor patches or configuration mitigations.

EU & UK References

Vulnerability details

Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an…

more

SMS message, aka Simjacker.

CWE(s)
KEV Date Added
03 November 2021

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

trustedconnectivityalliance
s\@t browser
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces information flow rules that would block unauthorized STK commands delivered via SMS from reaching the UICC and accessing location/IMEI data or executing actions.

prevent

Requires explicit enforcement of access rules before any subject (including SMS-delivered STK instructions) can read sensitive attributes or invoke UICC commands.

preventdetect

Boundary-protection mechanisms can inspect, filter, or log SMS traffic carrying STK payloads before they reach the device UICC.

References