Smartthings
CVE-2021-25508
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionNVD
Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.
AnalysisAI
Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Improper Privilege Management (CWE-269), which allows attackers to escalate privileges to gain unauthorized elevated access. Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation. Affected products include: Samsung Smartthings. Version information: prior to 1.7.73.22.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply principle of least privilege, validate privilege transitions, implement proper role separation.
More in Smartthings
View allImproper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart d
Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for
Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows atta
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows atta
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows atta
Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows atta
Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attacke
Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attac
Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attacker
Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely
Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today