CVE-2021-25337
Published: 04 March 2021
Summary
CVE-2021-25337 is a medium-severity Improper Privilege Management (CWE-269) vulnerability in Samsung Android. Its CVSS base score is 4.4 (Medium).
Operationally, ranked in the top 25.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
The vulnerability is an improper access control issue (CWE-269) in the clipboard service of Samsung mobile devices running versions prior to the SMR Mar-2021 Release 1. It enables untrusted applications to read or write certain local files on the device, with a CVSS 3.1 base score of 4.4 reflecting local attack vector, low complexity, no required privileges, and required user interaction.
An attacker can exploit the flaw by installing or running an untrusted application on the affected Samsung device. Successful exploitation grants the ability to access or modify selected local files, resulting in limited impacts to confidentiality and integrity without affecting availability.
Samsung security advisories direct users to apply the SMR Mar-2021 Release 1 update or later via the referenced security update pages. The CVE is also catalogued by CISA as a known exploited vulnerability, confirming observed real-world attacks.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-12233
Vulnerability details
Improper access control in clipboard service in Samsung mobile devices prior to SMR Mar-2021 Release 1 allows untrusted applications to read or write certain local files.
- CWE(s)
- KEV Date Added
- 08 November 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces access restrictions on the clipboard service so untrusted applications cannot read or write arbitrary local files.
Limits privileges granted to user-installed applications, reducing the impact of the missing access control checks in the clipboard service.
Requires prompt application of the SMR Mar-2021 Release 1 (or later) patch that corrects the improper access control flaw.