CISA Adds Samsung Phone Flaws to 'Must Patch' List, Likely Exploited by Spyware Vendor

 
The US Cybersecurity and Infrastructure Security Agency (CISA) has included several vulnerabilities affecting Samsung smartphones in its Known Exploited Vulnerabilities Catalog. It is highly likely that these flaws have been exploited by a commercial spyware vendor.
CISA updated its catalog with eight new vulnerabilities, including two vulnerabilities in D-Link routers and access points that were exploited by a Mirai botnet variant. The remaining six vulnerabilities impact Samsung mobile devices, and they were all addressed by Samsung through patches released in 2021.
Among the vulnerabilities is CVE-2021-25487, an out-of-bounds read issue in the modem interface driver that can lead to arbitrary code execution. This vulnerability was fixed by Samsung in October 2021. Although Samsung has classified it as moderate, its severity is considered high according to the CVSS score.
Another vulnerability addressed in the same October 2021 patch batch is CVE-2021-25489, a low-severity format string bug in the modem interface driver that can result in a Denial-of-Service (DoS) condition.

CISA also included moderate-severity vulnerabilities CVE-2021-25394 and CVE-2021-25395, which are use-after-free bugs in the MFC charger driver. Samsung resolved these issues in May 2021.
The remaining two vulnerabilities are CVE-2021-25371, a moderate-severity flaw that allows an attacker to load arbitrary ELF files inside the DSP driver, and CVE-2021-25372, a moderate-severity out-of-bounds access vulnerability in the same driver. Samsung patched both vulnerabilities in March 2021.

It is worth noting that Samsung has not updated its old advisories to warn users about the exploitation of these vulnerabilities.

While there are no public reports of exploitation for the Samsung mobile device vulnerabilities added to CISA's 'must-patch' list, it is highly likely that a commercial spyware vendor has already taken advantage of them.

In November 2022, Google disclosed three similar Samsung phone vulnerabilities with 2021 CVEs that were exploited by an unnamed spyware vendor against Android devices, even when they were considered zero-day vulnerabilities. These three vulnerabilities were patched in March 2021. Google has also indicated that it was aware of several other Samsung vulnerabilities with 2021 CVEs that had been exploited in attacks.

This suggests that the vulnerabilities added to CISA's catalog this week have also been exploited by spyware vendors, with Google monitoring their activities. SecurityWeek has reached out to Google for confirmation on this matter.

Related: Google Links Exploitation Frameworks to Spanish Spyware Vendor Variston

Related: New Samsung Message Guard Protects Mobile Devices Against Zero-Click Exploits

Related: Android Security Update Patches Kernel Vulnerability Exploited by Spyware Vendor