CISA Flags 8 Actively Exploited Flaws in Samsung and D-Link Devices
The US Cybersecurity and Infrastructure Agency (CISA) has placed a set of eight weaknesses for Known Exploitable Vulnerabilities (KEV) catalog, based on evidence of active exploitation.
This includes six flaws affecting Samsung smartphones and two vulnerabilities affecting D-Link devices. All flaws have been patched in 2021.
- CVE-2021-25394 (CVSS score: 6.4) – Samsung mobile device race condition vulnerabilities
- CVE-2021-25395 (CVSS score: 6.4) – Samsung mobile device race condition vulnerabilities
- CVE-2021-25371 (CVSS Score: 6.7) – Unspecified vulnerability in DSP driver used on Samsung mobile devices that allows loading arbitrary ELF libraries
- CVE-2021-25372 (CVSS score: 6.7) – Incorrect bounds check on Samsung mobile device in DSP driver on Samsung mobile device
- CVE-2021-25487 (CVSS score: 7.8) – Samsung mobile device out-of-bounds read vulnerability leading to arbitrary code execution
- CVE-2021-25489 (CVSS Score: 5.5) – Incorrect Samsung Mobile device input validation vulnerability resulting in kernel panic
- CVE-2019-17621 (CVSS score: 9.8) – Unauthenticated remote code execution vulnerability in D-Link DIR-859 Router
- CVE-2019-20500 (CVSS Score: 7.8) – Authenticated OS command injection vulnerability in D-Link DWL-2600AP
The addition of two D-Link vulnerabilities follows a report from Palo Alto Networks Unit 42 last month about threat actors associated with a variant of the Mirai botnet utilise vulnerabilities in some IoT devices to spread malware in a series of attacks starting in March 2023.
However, it wasn’t immediately clear how flaws in Samsung’s devices were wildly exploited. But given the nature of their targeting, it’s likely they have been used by commercial spyware vendors in highly targeted attacks.
It’s worth noting that Google Project Zero revealed a set of flaws in November 2022 it said armed as part of a chain of exploits aimed at Samsung handsets.
With respect to active exploits, Federal Civilian Executive Branch (FCEB) agencies are required to implement the necessary fixes by July 20, 2023, to secure their networks against potential threats.
