SmartThings
CVEs (21)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-2233 | 0.00 | — | 0.00 | Mar 11, 2025 | Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615. | |||
| CVE-2024-49416 | 0.00 | — | 0.00 | Dec 3, 2024 | Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information. | |||
| CVE-2024-34596 | 0.00 | — | 0.00 | Jul 2, 2024 | Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner. | |||
| CVE-2024-20852 | 0.00 | — | 0.00 | Apr 2, 2024 | Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration. | |||
| CVE-2023-21432 | 0.00 | — | 0.00 | Feb 9, 2023 | Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner. | |||
| CVE-2022-39865 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | |||
| CVE-2022-39866 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | |||
| CVE-2022-39867 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast. | |||
| CVE-2022-39868 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast. | |||
| CVE-2022-39871 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts. | |||
| CVE-2022-39869 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast. | |||
| CVE-2022-39864 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent. | |||
| CVE-2022-39870 | 0.00 | — | 0.00 | Oct 7, 2022 | Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast. | |||
| CVE-2022-30749 | 0.00 | — | 0.00 | Jun 7, 2022 | Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity. | |||
| CVE-2022-30747 | 0.00 | — | 0.00 | Jun 7, 2022 | PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent. | |||
| CVE-2022-30746 | 0.00 | — | 0.00 | Jun 7, 2022 | Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API. | |||
| CVE-2021-25508 | 0.00 | — | 0.00 | Nov 5, 2021 | Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation. | |||
| CVE-2021-25447 | 0.00 | — | 0.00 | Aug 5, 2021 | Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview. | |||
| CVE-2021-25446 | 0.00 | — | 0.00 | Aug 5, 2021 | Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause arbitrary webpage loading in webview. | |||
| CVE-2021-25404 | 0.00 | — | 0.00 | Jun 11, 2021 | Information Exposure vulnerability in SmartThings prior to version 1.7.64.21 allows attacker to access user information via log. |
- CVE-2025-2233Mar 11, 2025risk 0.00cvss —epss 0.00
Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615.
- CVE-2024-49416Dec 3, 2024risk 0.00cvss —epss 0.00
Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information.
- CVE-2024-34596Jul 2, 2024risk 0.00cvss —epss 0.00
Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner.
- CVE-2024-20852Apr 2, 2024risk 0.00cvss —epss 0.00
Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration.
- CVE-2023-21432Feb 9, 2023risk 0.00cvss —epss 0.00
Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner.
- CVE-2022-39865Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39866Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39867Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.
- CVE-2022-39868Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.
- CVE-2022-39871Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.
- CVE-2022-39869Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.
- CVE-2022-39864Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.
- CVE-2022-39870Oct 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.
- CVE-2022-30749Jun 7, 2022risk 0.00cvss —epss 0.00
Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.
- CVE-2022-30747Jun 7, 2022risk 0.00cvss —epss 0.00
PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.
- CVE-2022-30746Jun 7, 2022risk 0.00cvss —epss 0.00
Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.
- CVE-2021-25508Nov 5, 2021risk 0.00cvss —epss 0.00
Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.
- CVE-2021-25447Aug 5, 2021risk 0.00cvss —epss 0.00
Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause local file inclusion in webview.
- CVE-2021-25446Aug 5, 2021risk 0.00cvss —epss 0.00
Improper access control vulnerability in SmartThings prior to version 1.7.67.25 allows untrusted applications to cause arbitrary webpage loading in webview.
- CVE-2021-25404Jun 11, 2021risk 0.00cvss —epss 0.00
Information Exposure vulnerability in SmartThings prior to version 1.7.64.21 allows attacker to access user information via log.
Page 1 of 2