Security Vulnerability Report
中文
CVE-2025-21046 CVSS 2.4 LOW

CVE-2025-21046

Published: 2025-10-10 07:15:40
Last Modified: 2025-10-23 12:43:46
Source: [email protected]

Description

Improper access control in WindowManager in Samsung DeX prior to SMR Oct-2025 Release 1 allows physical attackers to temporarily access to recent app list.

CVSS Details

CVSS Score
2.4
Severity
LOW
CVSS Vector
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:* - VULNERABLE
Samsung DeX < SMR Oct-2025 Release 1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-21046 - Samsung DeX WindowManager Improper Access Control PoC # This PoC demonstrates the conceptual exploitation of the vulnerability # The vulnerability allows physical attackers to access recent app list # in Samsung DeX mode prior to SMR Oct-2025 Release 1. import subprocess import time def trigger_recent_apps_in_dex(): """ Conceptual PoC for CVE-2025-21046. The actual exploit requires physical access to a Samsung device running DeX mode with vulnerable firmware. """ # Step 1: Ensure the device is in DeX mode (connected to external display) # or in a state where WindowManager processes are active print("[*] Ensure device is connected to DeX station/external display") # Step 2: Trigger the WindowManager race condition by rapidly # toggling between lock states or app switcher actions # This can be done via physical key combinations on the device print("[*] Rapidly press Recents/Home key to trigger race condition") # Step 3: The recent app list becomes accessible without authentication # due to improper access control in WindowManager print("[*] Recent app list is now accessible without proper authentication") # Step 4: Extract information about recently used apps recent_apps = get_recent_apps() print(f"[+] Leaked recent apps: {recent_apps}") def get_recent_apps(): """ Simulate accessing the recent apps list via dumpsys or similar method. On a vulnerable device, this would not require unlock authentication. """ try: # On Android, recent tasks can be queried via Activity Manager result = subprocess.run( ['adb', 'shell', 'dumpsys', 'activity', 'recents'], capture_output=True, text=True, timeout=5 ) return result.stdout except Exception as e: return f"Error: {e}" if __name__ == "__main__": print("CVE-2025-21046 PoC - Samsung DeX WindowManager Access Control Bypass") print("WARNING: Only use on devices you own or have authorization to test.") trigger_recent_apps_in_dex()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-21046", "sourceIdentifier": "[email protected]", "published": "2025-10-10T07:15:39.713", "lastModified": "2025-10-23T12:43:45.953", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper access control in WindowManager in Samsung DeX prior to SMR Oct-2025 Release 1 allows physical attackers to temporarily access to recent app list."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:-:*:*:*:*:*:*", "matchCriteriaId": "A123EDB1-3048-44B0-8D4D-39A2B24B5F6B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "BDE4D65E-8F9B-4810-AED6-95564A97D741"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "70825981-F895-4BFD-9B6E-92BFF0D67023"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "A5E68B7B-BA08-4E8C-B60A-B3836C6986BC"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-apr-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "AC42E785-02BF-4F27-B5CF-49572A2DBC8E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "0AF1EDA0-2712-4C3C-8D8A-89E154BB63DF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "88DC0A82-CAF3-4E88-8A4D-8AF79D0C226D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "6239D93F-CA0E-4120-96A1-FB63276EAEE8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-aug-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "25F19D02-1FFC-48AF-9CB8-063C459E7A4B"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2021-r1:*:*:*:*:*:*", "matchCriteriaId": "CD382E2D-0B51-4908-989A-88E083FC85BF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "299284DA-85AB-4162-B858-E67E5C6C14F7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "38B7AB56-AB65-4557-A91C-40CA2FD12351"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-dec-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "858B0736-2272-4D5A-A77F-47023D21F7D0"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "61D507C0-086B-4139-A560-126964DFA579"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "D98F307E-3B01-4C17-86E5-1C6299919417"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "952CA843-7CF0-4424-BDA4-3F2A93E077B6"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-feb-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "39F64BAA-2E49-4919-A940-219391383D5E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "57B125ED-D939-4CBC-9E96-BBCF02402A69"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "7D7DA96D-9C25-4DDA-A6BF-D998AC346B89"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "07AC19C6-D245-4C3A-90CC-A931A901EA0A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jan-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "FDA1685E-D101-46F6-8857-7F0894E07748"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2022-r1:*:*:*:*:*:*", "matchCriteriaId": "DF85AA7B-E1C7-4946-92B4-E4D545CAACDF"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2023-r1:*:*:*:*:*:*", "matchCriteriaId": "34114DDC-DCDA-4306-8D23-2E628873171F"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2024-r1:*:*:*:*:*:*", "matchCriteriaId": "B6871BC1-19F4-4F0C-88D8-4000590D8D5A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:samsung:android:13.0:smr-jul-2025-r1:*:*:*:*:*:*", "matchCriteriaId": "4684DF1E-B783-4C81-A3D0-D09AD2610866"}, {"vulnerable": true, "c ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.