CVE-2025-66363

High

Published: 03 March 2026

Published

03 March 2026

Modified

04 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0007 20.2th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66363 is a high-severity Improper Initialization (CWE-665) vulnerability in Samsung Exynos 2200 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004).

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-4 Information in Shared System Resources

addresses: CWE-665

Ensures shared resources are explicitly initialized or cleared on allocation, preventing exposure of prior contents to new users or processes.

SI-14 Non-persistence

addresses: CWE-665

Mandates that every instance begins in a known (presumably clean) state, eliminating reliance on residual or uninitialized state left by prior executions.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

Remote network message exploitation of improper memory initialization directly enables application/system DoS via crash or resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages.

Deeper analysisAI

CVE-2025-66363 is a vulnerability in the LBS component of the Samsung Mobile Processor Exynos 2200, where there is no check for memory initialization within DL NAS Transport messages. Published on 2026-03-03, this issue falls under CWE-665 (Improper Initialization) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, user interaction, or authentication. Attackers can trigger it to cause high-impact denial of service, such as system crashes or resource exhaustion due to uninitialized memory handling in DL NAS Transport messages.

Samsung provides mitigation details through their product security updates portal at https://semiconductor.samsung.com/support/quality-support/product-security-updates/ and the dedicated CVE page at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66363/. Security practitioners should consult these resources for patch availability and deployment guidance on affected Exynos 2200 devices.

Details

CWE(s): CWE-665

Affected Products

samsung

exynos 2200 firmware

all versions

CVEs Like This One

CVE-2025-62814Same product: Samsung Exynos 2200

CVE-2025-62817Same product: Samsung Exynos 2200

CVE-2025-57835Same product: Samsung Exynos 2200

CVE-2024-52923Same product: Samsung Exynos 2200

CVE-2024-52924Same product: Samsung Exynos 2200

CVE-2025-58349Same product: Samsung Exynos 2200

CVE-2025-59440Same product: Samsung Exynos 2200

CVE-2025-57834Same product: Samsung Exynos 2200

CVE-2025-59439Same vendor: Samsung

CVE-2025-43706Same vendor: Samsung

References

https://semiconductor.samsung.com/support/quality-support/product-security-updates/
Vendor Advisory · cve@mitre.org
https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66363/
Vendor Advisory · cve@mitre.org