CVE-2017-18654

Vulnerability

On Samsung mobile devices running Android M(6.0) and N(7.0, 7.1) software, an unauthenticated attacker can register a new security certificate [1]. This flaw, identified as Samsung ID SVE-2017-9659 (September 2017), allows an untrusted certificate to be added to the device's trusted store without requiring authentication.

Exploitation

An attacker with no prior authentication can exploit this vulnerability by simply registering a new security certificate on the device. No special network position, user interaction, or race condition is required. The attacker can perform this action remotely or locally, as the device fails to enforce authentication for certificate registration.

Impact

Successful exploitation enables the attacker to install a malicious certificate trusted by the device. This undermines the device's trust model, potentially allowing the attacker to intercept or modify encrypted communications (man-in-the-middle), bypass certificate validation, and gain unauthorized access to sensitive data. The compromise affects the confidentiality and integrity of network communications.

Mitigation

Samsung addressed this vulnerability in a security update released in September 2017 [1]. Users should ensure their device is updated to the latest firmware that includes the fix. There is no known workaround; applying the security patch is the recommended mitigation. This CVE is not listed on the CISA KEV.