⚠ Actively exploited
Added to CISA KEV on 2022-11-08. Federal agencies required to patch by 2022-11-29. Required action: Apply updates per vendor instructions..

CVE-2021-25369Sensitive Information Exposure in Mobile Devices

CWE-200Sensitive Information ExposureCWE-416Use After FreeCWE-863Incorrect AuthorizationCWE-269Improper Privilege Management11 documents6 sources
Severity
5.5MEDIUMNVD
CNA6.2VulnCheck4.4CISA7.1
EPSS
0.2%
top 56.34%
CISA KEV
KEV
Added 2022-11-08
Due 2022-11-29
Exploit
Exploited in wild
Active exploitation observed
Affected products
2
Samsung Mobile DevicesSamsung Android
Timeline
PublishedMar 26
KEV addedNov 8
KEV dueNov 29
CISA Required Action: Apply updates per vendor instructions.

Description

An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5samsung_mobile/samsung_mobile_devicesO(8.x), P(9.0), Q(10.0)SMR Mar-2021 Release 1
NVDsamsung/android4 versions+3

🔴Vulnerability Details

7
Project0
A Very Powerful Clipboard: Analysis of a Samsung in-the-wild exploit chain - Project Zero2022-11-01
GHSA
GHSA-g6pj-gc3g-pf4q: An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace2022-05-24
CVEList
CVE-2021-25369: An improper access control vulnerability in sec_log file prior to SMR MAR-2021 Release 1 exposes sensitive kernel information to userspace2021-03-26
VulnCheck
Samsung Mobile Devices Memory Corruption Vulnerability2021
VulnCheck
Samsung Mobile Devices Improper Access Control Vulnerability2021

📋Vendor Advisories

3
CISA
Samsung Mobile Devices Improper Access Control Vulnerability2022-11-08
CISA
Samsung Mobile Devices Improper Access Control Vulnerability2022-11-08
CISA
Samsung Mobile Devices Memory Corruption Vulnerability2022-11-08
CVE-2021-25369 — Sensitive Information Exposure | cvebase