CVE-2022-33688

Vulnerability

A sensitive information exposure vulnerability exists in the EventType component of SecTelephonyProvider on Samsung mobile devices prior to the SMR Jul-2022 Release 1 security update [1]. The flaw allows the IMSI (International Mobile Subscriber Identity) to be written into device logs when telephony events are processed, making this subscriber identifier accessible to any local process or user with log access permission.

Exploitation

An attacker must have local access to the device and possess the log access permission (typically granted to system applications or through ADB debugging). No user interaction is required. The attacker can read the device logs (e.g., via logcat or log files) and parse the entries generated by SecTelephonyProvider to extract the IMSI value that was inadvertently recorded in the event logs.

Impact

Successful exploitation results in disclosure of the device's IMSI, a persistent and sensitive identifier that can be used for subscriber tracking, location correlation, or SIM cloning attacks. The attacker gains no code execution or file write capability, only information disclosure at the level of the logged-in user or process with log access.

Mitigation

The vulnerability is patched in the Samsung Security Maintenance Release (SMR) for July 2022 [1]. Users should apply the SMR Jul-2022 Update (Release 1 or later) via the device's system update mechanism. No workaround is available for unpatched devices. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.