Cyber Resilience

CVE-2025-66363

High

Published: 03 March 2026

Published
03 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0007 20.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66363 is a high-severity Improper Initialization (CWE-665) vulnerability in Samsung Exynos 2200 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 20.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-66363 is a vulnerability in the LBS component of the Samsung Mobile Processor Exynos 2200, where there is no check for memory initialization within DL NAS Transport messages. Published on 2026-03-03, this issue falls under CWE-665 (Improper Initialization) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

The vulnerability enables remote exploitation over the network with low complexity, requiring no privileges, user interaction, or authentication. Attackers can trigger it to cause high-impact denial of service, such as system crashes or resource exhaustion due to uninitialized memory handling in DL NAS Transport messages.

Samsung provides mitigation details through their product security updates portal at https://semiconductor.samsung.com/support/quality-support/product-security-updates/ and the dedicated CVE page at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66363/. Security practitioners should consult these resources for patch availability and deployment guidance on affected Exynos 2200 devices.

EU & UK References

Vulnerability details

An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote network message exploitation of improper memory initialization directly enables application/system DoS via crash or resource exhaustion (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-46923Same product: Samsung Exynos 2200
CVE-2025-62814Same product: Samsung Exynos 2200
CVE-2025-62817Same product: Samsung Exynos 2200
CVE-2025-59440Same product: Samsung Exynos 2200
CVE-2024-52923Same product: Samsung Exynos 2200
CVE-2024-52924Same product: Samsung Exynos 2200
CVE-2025-58349Same product: Samsung Exynos 2200
CVE-2025-57835Same product: Samsung Exynos 2200
CVE-2025-57834Same product: Samsung Exynos 2200
CVE-2025-43706Same vendor: Samsung

Affected Assets

samsung
exynos 2200 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses the improper memory initialization check in Exynos 2200 LBS by applying vendor patches to prevent remote DoS exploitation.

prevent

Information input validation on DL NAS Transport messages enforces checks for proper memory initialization, preventing crashes from uninitialized memory handling.

prevent

Denial-of-service protection at network entry points mitigates the high availability impact of remote exploitation causing system crashes or resource exhaustion.

References