CVE-2025-2233: Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability
Description
Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615.
Classification
CVE ID: CVE-2025-2233
CVSS Base Severity: HIGH
CVSS Base Score: 8.8
CVSS Vector: CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products
Vendor: Samsung
Product: SmartThings
Exploit Prediction Scoring System (EPSS)
EPSS Score: 0.01% (probability of being exploited)
EPSS Percentile: 0.78% (scored less or equal to compared to others)
EPSS Date: 2025-04-09 (when was this score calculated)
References
https://nvd.nist.gov/vuln/detail/CVE-2025-2233https://www.zerodayinitiative.com/advisories/ZDI-25-127/