CVE-2025-57836
Published: 05 January 2026
Summary
CVE-2025-57836 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Samsung Magician. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique DLL Side-Loading (T1574.002); ranked at the 4.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-4 (Information in Shared System Resources) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely identification, reporting, and correction of flaws such as the weak temporary folder permissions in Samsung Magician installers, preventing DLL hijacking via patching.
Prevents unauthorized information transfer via shared system resources like the weakly permissioned temporary folder exploited for DLL placement and hijacking.
Prohibits or controls user-installed software such as vulnerable Samsung Magician versions, limiting deployment of installers that create exploitable temporary folders.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak temp folder permissions during install directly enable DLL side-loading (T1574.002) for local privilege escalation (T1068).
NVD Description
An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges.
Deeper analysisAI
CVE-2025-57836 is a vulnerability in Samsung Magician versions 6.3.0 through 8.3.2 on Windows. During installation, the software creates a temporary folder with weak permissions, which enables DLL hijacking and subsequent privilege escalation. This issue maps to CWE-427 (Untrusted Search Path) and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
A low-privileged local user can exploit the vulnerability by placing a malicious DLL in the temporary folder created by the installer. With low attack complexity and no user interaction required, successful exploitation grants the attacker high-impact access to confidentiality, integrity, and availability, allowing full privilege escalation on the affected system.
Samsung provides details on mitigation through its product security updates, available at https://semiconductor.samsung.com/support/quality-support/product-security-updates/ and the dedicated CVE page at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57836/. Security practitioners should consult these advisories for patching instructions and workarounds.
Details
- CWE(s)