Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
An issue was discovered in MM in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. Incorrect handling of 5G NR NAS registration accept messages leads to a Denial of Service.
AnalysisAI
Denial of Service vulnerability in Samsung Exynos chipsets (980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, W920, W930, W1000, and modems 5123, 5300, 5400) allows remote unauthenticated attackers to crash devices by sending malformed 5G NR NAS registration accept messages. The flaw affects the Mobility Management (MM) component's message parser, triggering resource exhaustion (CWE-770) that disrupts cellular connectivity. CVSS 7.5 (High) with network attack vector and no prerequisites, though EPSS indicates only 0.02% exploitation probability and no public exploits identified at time of analysis.
Technical ContextAI
This vulnerability resides in the Mobility Management (MM) layer of Samsung's Exynos baseband processors, which handles 5G Non-Standalone (NR) Network Attached Subsystem (NAS) protocol messages during device registration with cellular networks. NAS registration accept messages are sent by the 5G core network to confirm successful device attachment. The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling), indicating the MM component fails to properly validate or constrain resource consumption when processing malformed registration messages. This affects both Application Processors (Exynos 980/990/850/2100/1280/2200/1330/1380/1480/2400/1580/2500) and dedicated modem chipsets (Modem 5123/5300/5400), plus wearable processors (W920/W930/W1000). The vulnerability sits at the intersection of cellular protocol implementation and low-level firmware, making it accessible via the radio interface without requiring physical access or user interaction.
RemediationAI
Apply firmware updates from Samsung Semiconductor as documented in the official security bulletin at https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-66369/. For end users, updates are typically delivered through device manufacturer OTA updates-check with Samsung Mobile or device OEM for availability. Specific patched firmware versions are not disclosed in public advisories. Compensating controls for high-risk environments: temporarily disable 5G connectivity and force devices to 4G/LTE mode through network settings (Settings > Connections > Mobile Networks > Network Mode > LTE/3G/2G), which eliminates exposure to 5G NR NAS message parsing but reduces network performance and disables 5G features. In enterprise deployments, implement network-based monitoring for unusual cellular disconnection patterns that might indicate exploitation attempts. No firewall or network segmentation mitigations apply as the vulnerability exists in cellular baseband firmware accessible only via radio interface.
Remote code execution in APScheduler (all versions through 3.10.x and 4.0.0a5) is achievable when applications deseriali
Unauthenticated remote OS command injection in MeiG Smart FORGE_SLT711 cellular gateway firmware MDM9607.LE.1.0-00110-ST
Unauthenticated API access in LalanaChami Pharmacy Management System (commit 5c3d028) allows remote attackers to dump al
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write o
Giflib 5.2.2 contains a buffer overflow in the EGifGCBToExtension function that fails to validate allocated memory when
Denial of service in GPAC's MP4Box multimedia tool (versions before 26.02.0) arises from a use-after-free in the gf_sei_
Arbitrary kernel memory read/write in Realtek rtl819x Jungle SDK Wi-Fi driver allows local unprivileged attackers to acc
Denial of service in GPAC's MP4Box/libgpac media importer (versions before 26.02.0) lets an attacker crash the tool by s
An issue in the parse_month function (/time/strptime.rs) of relibc commit ab6a2e allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library) at commit 61f42d allows attackers to crash a process by ge
An issue in the pthread_rwlockattr_setpshared() function of relibc commit 61f42d allows attackers to cause a Denial of S
Denial of service in relibc (the Redox OS C standard library implementation, commit 61f42d) lets attackers crash a proce
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209645
GHSA-386p-v9x3-gxpm