Samsung Smartthings vulnerabilities

CVE-2025-2233 [HIGH] CWE-347 CVE-2025-2233: Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerabi Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Hub Local API service,

CVE-2024-49416 [MEDIUM] CVE-2024-49416: Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows loc Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information.

CVE-2024-34596 [MEDIUM] CWE-287 CVE-2024-34596: Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner.

CVE-2024-20852 [MEDIUM] CVE-2024-20852: Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration.

CVE-2022-39866 [MEDIUM] CWE-284 CVE-2022-39866: Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7 Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

CVE-2022-39869 [MEDIUM] CWE-284 CVE-2022-39869: Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.

CVE-2022-39865 [MEDIUM] CWE-284 CVE-2022-39865: Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1 Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

CVE-2022-39867 [MEDIUM] CWE-284 CVE-2022-39867: Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.

CVE-2022-39870 [MEDIUM] CWE-284 CVE-2022-39870: Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.

CVE-2022-39871 [MEDIUM] CWE-284 CVE-2022-39871: Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.

CVE-2022-39868 [MEDIUM] CWE-284 CVE-2022-39868: Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

CVE-2022-39864 [LOW] CWE-284 CVE-2022-39864: Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.8 Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.

CVE-2022-30746 [HIGH] CWE-285 CVE-2022-30746: Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive i Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.

CVE-2022-30749 [LOW] CWE-287 CVE-2022-30749: Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to a Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.

CVE-2022-30747 [MEDIUM] CWE-276 CVE-2022-30747: PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to a PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.

CVE-2021-25508 [MEDIUM] CWE-269 CVE-2021-25508: Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.

CVE-2021-25378 [MEDIUM] CWE-20 CVE-2021-25378: Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote tempo Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.