cbcvebase.
CVE-2019-16256
published 2019-09-12

CVE-2019-16256: Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI…

PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
4.95%
91.1th percentile
Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an SMS message, aka Simjacker.

Detection & IOCsextracted from sources · hover to see the quote

  • Attack vector is a specially crafted SMS message containing SIM Toolkit (STK) instructions targeting the S@T Browser on the UICC; monitor for anomalous binary SMS (OTA) messages delivering STK commands to SIM cards
  • Exploitation can result in silent retrieval of device location and IMEI; monitor for unexpected SS7/SMPP-layer binary SMS traffic or unsolicited location disclosure events from handsets
  • The attack modifies the payload message to execute a range of commands beyond location/IMEI retrieval; inspect OTA SMS payloads for S@T Browser (SIMalliance Toolbox Browser) command envelopes
  • ·The vulnerable component (S@T Browser) resides on the UICC (SIM card) itself, not the handset OS; patching requires SIM card replacement or OTA SIM update by the carrier — standard OS/firmware updates are insufficient
  • ·Scope is not limited to Samsung; any device whose carrier has provisioned a UICC with S@T Browser is potentially affected, making carrier-side detection and remediation essential

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.