Cyber Resilience

CVE-2025-43706

HighDDoS

Published: 05 January 2026

Published
05 January 2026
Modified
09 January 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0010 27.3th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-43706 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Samsung Exynos 1080 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SC-6 (Resource Availability).

Deeper analysis

CVE-2025-43706 is a vulnerability discovered in the L2 layer of Samsung Mobile Processor, Wearable Processor, and Modem components, specifically affecting Exynos models 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. The flaw arises from incorrect handling of RRC packets, leading to a denial of service condition. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and is classified under CWE-400 (Uncontrolled Resource Consumption). The CVE was published on 2026-01-05.

Attackers can exploit this vulnerability remotely over the network with low attack complexity, requiring no privileges, authentication, or user interaction. By sending malformed RRC packets to an affected device, an unauthenticated remote attacker can trigger a denial of service, disrupting the target's availability while having no impact on confidentiality or integrity.

Samsung Semiconductor provides details and mitigation through its product security updates on the support pages at https://semiconductor.samsung.com/support/quality-support/product-security-updates/ and https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-43706/.

EU & UK References

Vulnerability details

An issue was discovered in L2 in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2400, 1580, 9110, W920, W930, Modem 5123, and Modem 5400. Incorrect handling of RRC packets leads to a Denial of Service.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Malformed RRC packet handling triggers remote DoS via system exploitation on affected endpoints.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-59439Same product: Samsung Exynos 1080
CVE-2025-59440Same product: Samsung Exynos 1080
CVE-2025-58349Same product: Samsung Exynos 1080
CVE-2025-54324Same product: Samsung Exynos 1080
CVE-2024-46923Same product: Samsung Exynos 2400
CVE-2025-57835Same product: Samsung Exynos 1080
CVE-2025-57834Same product: Samsung Exynos 1080
CVE-2024-52923Same product: Samsung Exynos 1080
CVE-2024-52924Same product: Samsung Exynos 1080
CVE-2024-50600Same product: Samsung Exynos 1080

Affected Assets

samsung
exynos 1080 firmware
all versions
samsung
exynos 1580 firmware
all versions
samsung
exynos 980 firmware
all versions
samsung
exynos 990 firmware
all versions
samsung
exynos 9110 firmware
all versions
samsung
exynos 850 firmware
all versions
samsung
exynos 2400 firmware
all versions
samsung
exynos w930 firmware
all versions
samsung
exynos w920 firmware
all versions
samsung
modem 5123 firmware
all versions
+1 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly implements denial-of-service protections to block or mitigate remote exploitation via malformed RRC packets causing resource exhaustion in affected Exynos processors and modems.

prevent

Protects availability of system resources from uncontrolled consumption triggered by incorrect L2 handling of RRC packets, addressing the core CWE-400 issue.

prevent

Validates incoming RRC packets to prevent malformed inputs from reaching the vulnerable L2 layer and triggering the denial-of-service condition.

References