Skip to main content

Jwt Attack CVE-2026-20997

| EUVDEUVD-2026-12311 MEDIUM
Improper Verification of Cryptographic Signature (CWE-347)
2026-03-16 SamsungMobile
5.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
EUVD ID Assigned
Mar 16, 2026 - 05:00 euvd
EUVD-2026-12311
Analysis Generated
Mar 16, 2026 - 05:00 vuln.today
CVE Published
Mar 16, 2026 - 04:32 nvd
MEDIUM 5.3

DescriptionCVE.org

Improper verification of cryptographic signature in Smart Switch prior to version 3.7.69.15 allows remote attackers to potentially bypass authentication.

AnalysisAI

Smart Switch prior to version 3.7.69.15 contains an improper cryptographic signature verification vulnerability that allows remote attackers to bypass authentication mechanisms. The vulnerability has a CVSS score of 5.3 with network-based attack vector and low complexity, requiring only user interaction. While no public exploit or KEV status has been confirmed, the authentication bypass capability presents a moderate risk for unauthorized access to affected devices.

Technical ContextAI

This vulnerability stems from a failure to properly validate cryptographic signatures, which are fundamental security controls for verifying the authenticity and integrity of messages or software components. The affected product, Smart Switch, likely uses signature verification as part of its authentication or firmware validation processes. The improper implementation allows attackers to craft malicious requests or payloads that pass signature checks despite being unsigned or incorrectly signed. CWE mapping to signature verification failures (CWE-347: Improper Verification of Cryptographic Signature) indicates the root cause is insufficient or missing validation logic in the cryptographic signature verification routine. Smart Switch versions before 3.7.69.15 are vulnerable; the exact CPE string for this product would be cpe:2.3:a:vendor:smart_switch:*:*:*:*:*:*:*:* with version constraint prior to 3.7.69.15.

RemediationAI

Immediately upgrade Smart Switch to version 3.7.69.15 or later, which patches the cryptographic signature verification flaw. Users should visit Samsung's official support portal or use the automatic update mechanism within Smart Switch to deploy the patched version. Until patching is complete, restrict network access to Smart Switch instances through firewall rules, disable remote management features if not required, and implement network segmentation to limit the blast radius of potential authentication bypass exploitation. Monitor authentication logs for suspicious sign-in attempts or unauthorized configuration changes.

CVE-2013-3900 MEDIUM
5.5 Dec 11

Why is Microsoft republishing a CVE from 2013? We are republishing CVE-2013-3900 in the Security Update Guide to update

CVE-2026-48558 CRITICAL POC
9.5 Jun 12

Authentication bypass in SimpleHelp 5.5.15 and prior (plus 6.0 pre-release builds) allows remote unauthenticated attacke

CVE-2025-59718 CRITICAL
9.8 Dec 09

Authentication bypass in Fortinet FortiOS, FortiProxy, and FortiSwitchManager allows unauthenticated remote attackers to

CVE-2025-25291 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2025-25292 CRITICAL POC
9.3 Mar 12

ruby-saml provides security assertion markup language (SAML) single sign-on (SSO) for Ruby. Rated critical severity (CVS

CVE-2022-25898 CRITICAL POC
9.8 Jul 01

The package jsrsasign before 10.5.25 are vulnerable to Improper Verification of Cryptographic Signature when JWS or JWT

CVE-2024-42004 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in Microsoft Teams (work or school) 24046.2813.2770.1094 for macOS. Rated criti

CVE-2024-41145 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the WebView.app helper app of Microsoft Teams (work or school) 24046.2813.27

CVE-2024-41138 CRITICAL POC
9.8 Dec 18

A library injection vulnerability exists in the com.microsoft.teams2.modulehost.app helper app of Microsoft Teams (work

CVE-2024-45409 CRITICAL POC
9.8 Sep 10

The Ruby SAML library is for implementing the client side of a SAML authorization. Rated critical severity (CVSS 9.8), t

CVE-2022-35929 CRITICAL POC
9.8 Aug 04

cosign is a container signing and verification utility. Rated critical severity (CVSS 9.8), this vulnerability is remote

CVE-2022-31053 CRITICAL POC
9.8 Jun 13

Biscuit is an authentication and authorization token for microservices architectures. Rated critical severity (CVSS 9.8)

Share

CVE-2026-20997 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy