Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in NAS in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect Handling of a DL NAS Transport packet leads to a Denial of Service.
AnalysisAI
Denial of service in Samsung Exynos chipsets' NAS (Non-Access Stratum) layer allows remote unauthenticated attackers to crash mobile devices via malformed Downlink NAS Transport packets. Affects 23+ Exynos processor and modem variants used in mobile phones, wearables, and cellular modems (980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, 5300, 5400). Despite CVSS 7.5, EPSS shows only 0.02% exploitation probability (5th percentile), and no public exploit or active exploitation confirmed at time of analysis.
Technical ContextAI
The vulnerability resides in the Non-Access Stratum (NAS) protocol implementation within Samsung Exynos chipsets' cellular baseband processors. NAS handles signaling between mobile devices and the core network (independent of the radio access technology), managing functions like authentication, mobility, and session management. The flaw (CWE-400: Uncontrolled Resource Consumption) stems from improper validation when processing Downlink NAS Transport messages from the network to the device. These messages carry upper-layer data encapsulated within NAS signaling. Incorrect handling-likely missing bounds checks, malformed TLV parsing, or unbounded resource allocation-allows specially crafted packets to exhaust resources or trigger crash conditions in the baseband firmware. This affects a broad range of Exynos mobile processors (flagship 2100/2200/2400/2500, mid-range 980/990/1080/1280/1380/1480/1580, entry-level 850, wearable W-series) and standalone modems (5123/5300/5400), spanning multiple device generations across smartphones, smartwatches, and IoT products.
RemediationAI
Apply firmware updates from device manufacturers incorporating Samsung's baseband security patch. Samsung Semiconductor has published advisory details at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-54324/ with chipset-level patch availability. End-users should install Android security updates from Samsung Mobile, Google (for Pixel devices with Exynos variants), Vivo, and other OEMs using affected Exynos chipsets-typically distributed through monthly Android Security Bulletin updates. Enterprise deployments should verify baseband firmware versions through MDM tools and prioritize updates for devices used in sensitive locations where rogue base station attacks are plausible. No user-level workarounds exist (cellular connectivity cannot be selectively hardened), making vendor patches the sole mitigation. Monitor Samsung's semiconductor security portal and device OEM security bulletins for exact patched firmware build numbers.
Arbitrary file write as SYSTEM in Samsung MagicINFO 9 Server before version 21.1050 allows remote attackers to place att
Samsung MagicINFO 9 Server contains a path traversal vulnerability allowing unauthenticated attackers to write arbitrary
Multiple stack-based buffer overflows in the BackupToAvi method in the (1) UMS_Ctrl 1.5.1.1 and (2) UMS_Ctrl_STW 2.0.1.0
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices suffers from an Unrestricted file upload vulnerability: 'network_ssl_u
Web Viewer 1.0.0.193 on Samsung SRN-1670D devices allows remote attackers to read arbitrary files via a request to an un
Samsung Internet Browser 5.4.02.3 allows remote attackers to bypass the Same Origin Policy and obtain sensitive informat
Buffer overflow in the PrepareSync method in the SyncService.dll ActiveX control in Samsung Kies before 2.5.1.12123_2_7
The Samsung D6000 TV and possibly other products allow remote attackers to cause a denial of service (continuous restart
The Samsung D6000 TV and possibly other products allows remote attackers to cause a denial of service (crash) via a long
The ConnectDDNS method in the (1) STWConfigNVR 1.1.13.15 and (2) STWConfig 1.1.14.13 ActiveX controls in Samsung NET-i v
Multiple directory traversal vulnerabilities in Samsung SyncThru 6 before 1.0 allow remote attackers to delete arbitrary
Stack-based buffer overflow in the RequestScreenOptimization function in the XProcessControl.ocx ActiveX control in msls
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209241