Skip to main content

Smart Switch CVE-2026-20995

| EUVDEUVD-2026-12307 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-03-16 SamsungMobile
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 05:00 euvd
EUVD-2026-12307
Analysis Generated
Mar 16, 2026 - 05:00 vuln.today
CVE Published
Mar 16, 2026 - 04:32 nvd
MEDIUM 5.3

DescriptionCVE.org

Exposure of sensitive functionality to an unauthorized actor in Smart Switch prior to version 3.7.69.15 allows remote attackers to set a specific configuration.

AnalysisAI

Smart Switch versions prior to 3.7.69.15 contain an exposure of sensitive functionality vulnerability that allows remote attackers to set specific configurations without proper authorization. An unauthenticated attacker can leverage network access to manipulate configuration settings on affected devices, potentially leading to information disclosure and integrity compromise. This vulnerability requires user interaction according to the CVSS vector, suggesting a social engineering or phishing component may be necessary for successful exploitation.

Technical ContextAI

The vulnerability exists in Samsung Smart Switch, a data migration and device management application used across Samsung mobile devices and ecosystem services. The root cause appears to be improper access control mechanisms that fail to adequately restrict configuration modification functions to authorized users. The absence of explicit CWE attribution suggests this may involve multiple contributing factors including authentication bypass or insecure direct object references (IDOR-like patterns). The CVSS 4.0 vector indicates the attack surface is network-accessible with low attack complexity, meaning no special conditions or tool development is required for exploitation. The vulnerable component handles sensitive device configuration settings that should remain protected from unauthorized modification.

RemediationAI

The primary remediation is to upgrade Samsung Smart Switch to version 3.7.69.15 or later immediately. Users can download the latest version from Samsung's official website or through automatic update mechanisms available within the application itself. For environments where immediate patching is not feasible, restrict Smart Switch usage to trusted networks only and disable remote configuration capabilities if such options are available in the application settings. Additionally, monitor Smart Switch logs for unauthorized configuration change attempts and consider restricting which user accounts have permission to execute Smart Switch on shared devices. Organizations managing multiple devices should use Samsung's mobile device management (MDM) solutions to centrally enforce configuration protection and ensure all instances are updated to the patched version.

Share

CVE-2026-20995 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy