Connect with us

Hi, what are you looking for?


Mobile & Wireless

Samsung Phone Flaws Added to CISA ‘Must Patch’ List Likely Exploited by Spyware Vendor

CISA adds 6 Samsung mobile device flaws to its known exploited vulnerabilities catalog and they have likely been exploited by a spyware vendor.

Samsung vulnerabilities exploited

The US Cybersecurity and Infrastructure Security Agency (CISA) has added half a dozen flaws affecting Samsung smartphones to its Known Exploited Vulnerabilities Catalog, and they have all likely been exploited by a commercial spyware vendor.

CISA added eight new vulnerabilities to its catalog on Thursday, including two D-Link router and access point vulnerabilities exploited by a Mirai botnet variant. The six remaining security holes impact Samsung mobile devices and they were all patched by the technology giant in 2021.

The vulnerabilities include CVE-2021-25487, an out-of-bounds read in the modem interface driver that can lead to arbitrary code execution, fixed in October 2021. Samsung has classified the bug as ‘moderate’, but its NVD advisory says it’s ‘high severity’ based on CVSS score. 

The same October 2021 round of patches also addresses CVE-2021-25489, a low-severity format string bug in the modem interface driver that can lead to a DoS condition.

CISA also added CVE-2021-25394 and CVE-2021-25395, moderate-severity use-after-free bugs in the MFC charger driver. Both were fixed by Samsung in May 2021

The remaining two are CVE-2021-25371 a moderate-severity issue that can allow an attacker to load arbitrary ELF files inside the DSP driver, and CVE-2021-25372, a moderate-severity out-of-bounds access vulnerability in the same driver, both patched in March 2021

Samsung does not appear to have updated its old advisories to warn users about the exploitation of the vulnerabilities.

Advertisement. Scroll to continue reading.

There are no public reports describing exploitation of the Samsung mobile device vulnerabilities added to CISA’s ‘must-patch’ list this week. However, they have likely been exploited by a commercial spyware vendor.

Samsung and CISA recently warned users about CVE-2023-21492, a kernel pointer exposure issue related to log files that can allow a privileged local attacker to bypass the ASLR exploit mitigation technique.

Google, whose researchers discovered CVE-2023-21492, noted that the vulnerability has been known since 2021. 

In addition, in November 2022, Google disclosed the details of three similar Samsung phone vulnerabilities with 2021 CVEs that have been exploited by an unnamed spyware vendor against Android devices, including while they still had a zero-day status.

The three vulnerabilities disclosed in November 2022 were patched in March 2021. In addition, Google said at the time that it had been aware of half a dozen other Samsung vulnerabilities with 2021 CVE identifiers that have been exploited in attacks. This reinforces the theory that the flaws added by CISA this week to its catalog were exploited by spyware vendors whose activities have been monitored by Google. 

SecurityWeek has reached out to Google for confirmation. 

UPDATE: In response to SecurityWeek’s inquiry, Google pointed to a tweet from Google Project Zero researcher Maddie Stone. The tweet confirms that all the Samsung vulnerabilities were discovered as part of the same research. They were added to Google’s zero-day exploitation tracker for the year 2021.

Related: Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston

Related: New Samsung Message Guard Protects Mobile Devices Against Zero-Click Exploits

Related: Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.