CVE-2021-25374 – An improper authorization vulnerability in Sams... (How to Fix)

Q: What is the severity of CVE-2021-25374?

CVE-2021-25374 has a CVSS score of 8.6 (HIGH). An improper authorization vulnerability in Samsung Members app's 'samsungrewards' deeplink scheme allows remote attackers to access user data associated with Samsung Account. This affects Samsung Members app users on Android 8.1 and below (version 2.4.83.9) and Android 9.0 and above (version 3.9.00.9). Attackers can exploit this without user interaction via malicious links or apps.

📋 TL;DR

An improper authorization vulnerability in Samsung Members app's 'samsungrewards' deeplink scheme allows remote attackers to access user data associated with Samsung Account. This affects Samsung Members app users on Android 8.1 and below (version 2.4.83.9) and Android 9.0 and above (version 3.9.00.9). Attackers can exploit this without user interaction via malicious links or apps.

💻 Affected Systems

Products:

Samsung Members app

Versions: 2.4.83.9 for Android O(8.1) and below, 3.9.00.9 for Android P(9.0) and above

Operating Systems: Android 8.1 and below, Android 9.0 and above

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in specific versions across different Android OS versions. Requires Samsung Members app to be installed and accessible.

📦 What is this software?

Members by Samsung

View all CVEs affecting Members →

Members by Samsung

View all CVEs affecting Members →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Samsung Account data including personal information, authentication tokens, and potentially access to connected Samsung services and devices.

🟠

Likely Case

Unauthorized access to sensitive user data stored in Samsung Account, potentially leading to identity theft, privacy violations, and account takeover.

🟢

If Mitigated

Limited data exposure if app permissions are restricted and network controls prevent malicious deeplink execution.

🌐 Internet-Facing: HIGH - Exploitable via malicious links, emails, or web pages that trigger the vulnerable deeplink scheme remotely.

🏢 Internal Only: MEDIUM - Could be exploited internally via phishing or malicious apps, but requires user interaction with malicious content.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW - Exploitation involves crafting malicious deeplinks that trigger the vulnerable scheme without authentication.

Exploitation requires user to click malicious link or have malicious app that can trigger deeplinks. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.4.83.9 for Android 8.1/below and after 3.9.00.9 for Android 9.0/above

Vendor Advisory: https://security.samsungmobile.com/serviceWeb.smsb

Restart Required: No

Instructions:

1. Open Google Play Store on Android device. 2. Search for 'Samsung Members'. 3. If update available, tap 'Update'. 4. Alternatively, update through Samsung Galaxy Store if installed.

🔧 Temporary Workarounds

Disable Samsung Members app

android

Temporarily disable the vulnerable app to prevent exploitation

adb shell pm disable-user --user 0 com.samsung.android.voc

Restrict deeplink handling

android

Configure Android to prompt before opening deeplinks or restrict Samsung Members app links

Navigate to Settings > Apps > Samsung Members > Open by default > Clear defaults

🧯 If You Can't Patch

Disable Samsung Members app via device administrator controls
Implement network filtering to block malicious deeplink URLs and educate users about phishing risks

🔍 How to Verify

Check if Vulnerable:

Check Samsung Members app version in device settings: Settings > Apps > Samsung Members > App info

Check Version:

adb shell dumpsys package com.samsung.android.voc | grep versionName

Verify Fix Applied:

Verify Samsung Members app version is higher than 2.4.83.9 (Android 8.1/below) or 3.9.00.9 (Android 9.0/above)

📡 Detection & Monitoring

Log Indicators:

Unusual deeplink activations for 'samsungrewards' scheme
Samsung Members app accessing Samsung Account data unexpectedly

Network Indicators:

HTTP/HTTPS requests to Samsung services following deeplink activation
Unusual outbound connections after clicking links

SIEM Query:

source="android_logs" app="Samsung Members" (event="deeplink" OR event="intent") scheme="samsungrewards"

📊 Metadata

CVE ID: CVE-2021-25374

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

CWE: CWE-285

Published: April 9, 2021

Last Updated: November 21, 2024

🔗 References

https://security.samsungmobile.com/ Vendor Advisory
https://security.samsungmobile.com/serviceWeb.smsb Vendor Advisory
https://security.samsungmobile.com/ Vendor Advisory
https://security.samsungmobile.com/serviceWeb.smsb Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-25374, you might also want to check these: