CVE-2018-3918

CWE-7073 documents3 sources

Severity

7.5HIGH

EPSS

0.8%

top 26.75%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Samsung Samsung Samsung Sth-eth-250 Firmware

Timeline

PublishedAug 27

Latest updateMay 13

Description

An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. The hubCore process listens on port 39500 and relays any unauthenticated messages to SmartThings' remote servers, which incorrectly handle camera IDs for the 'sync' operation, leading to arbitrary deletion of cameras. An attacker can send an HTTP request to trigger this vulnerability.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDsamsung/sth-eth-250_firmware0.20.17

▶CVEListV5samsung/samsungSamsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17

🔴Vulnerability Details

GHSA

GHSA-7fjm-q9xv-4f29: An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0↗2022-05-13

▶

CVEList

CVE-2018-3918: An exploitable vulnerability exists in the remote servers of Samsung SmartThings Hub STH-ETH-250 - Firmware version 0↗2018-08-27

▶