Cyber Posture

CVE-2025-20903

High

Published: 06 March 2025

Published
06 March 2025
Modified
05 February 2026
KEV Added
Patch
CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0005 16.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20903 is a high-severity an unspecified weakness vulnerability in Samsung Android. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 16.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources, directly countering the improper access control allowing local low-privilege attackers to launch privileged activities.

AC-6 Least Privilege good match
prevent

Implements least privilege to restrict low-privilege local attackers from executing privileged activities despite user interaction.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and timely correction of flaws like this improper access control vulnerability through patching to SMR Mar-2025 Release 1.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

The improper access control vulnerability directly enables local attackers to launch privileged activities, mapping to Exploitation for Privilege Escalation (T1068).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Improper access control in SecSettingsIntelligence prior to SMR Mar-2025 Release 1 allows local attackers to launch privileged activities. User interaction is required for triggering this vulnerability.

Deeper analysisAI

CVE-2025-20903 is an improper access control vulnerability affecting the SecSettingsIntelligence component prior to SMR Mar-2025 Release 1. This issue enables local attackers to launch privileged activities, with user interaction required to trigger the vulnerability. The flaw carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE information not available from NVD.

A local attacker with low privileges can exploit this vulnerability by leveraging low attack complexity and inducing user interaction, such as clicking a malicious link or confirming an action. Successful exploitation allows the attacker to execute privileged activities, potentially compromising high levels of confidentiality, integrity, and availability on the affected device.

Samsung's security bulletin for March 2025, available at https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=03, details the vulnerability and recommends updating to SMR Mar-2025 Release 1 or later to mitigate the issue.

Details

CWE(s)
NVD-CWE-noinfo

Affected Products

samsung
android
12.0, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2025-20890Same product: Samsung Android
CVE-2025-20888Same product: Samsung Android
CVE-2026-20971Same product: Samsung Android
CVE-2026-20979Same product: Samsung Android
CVE-2026-20970Same product: Samsung Android
CVE-2026-20983Same product: Samsung Android
CVE-2026-21010Same product: Samsung Android
CVE-2025-20882Same product: Samsung Android
CVE-2026-20990Same product: Samsung Android
CVE-2025-20881Same product: Samsung Android

References