Samsung Smartthings

Unauth attacker adds other users' devices to SmartThings scenes
CVE-2025-24315 - April 15, 2025

Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).

Insecure Direct Object Reference / IDOR

Samsung SmartThings Auth Bypass via Improper Sign Verif on Hub API
CVE-2025-2233 - March 11, 2025

Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615.

Improper Verification of Cryptographic Signature

SmartThings Implicit Intent Information Disclosure Vulnerability
CVE-2024-49416 5.5 - Medium - December 03, 2024

Use of implicit intent for sensitive communication in SmartThings prior to version 1.8.21 allows local attackers to get sensitive information.

SmartThings <1.8.17: Improper Auth Bypass Expiration
CVE-2024-34596 7.5 - High - July 02, 2024

Improper authentication in SmartThings prior to version 1.8.17 allows remote attackers to bypass the expiration date for members set by the owner.

authentification

SmartThings Pre-1.8.13.22 Improper Intent Verification Allows Local Access
CVE-2024-20852 3.3 - Low - April 02, 2024

Improper verification of intent by broadcast receiver vulnerability in SmartThings prior to version 1.8.13.22 allows local attackers to access testing configuration.

SmartThings Improper Access Control v<1.7.93 Allows Unauthorized Invite
CVE-2023-21432 7.8 - High - February 09, 2023

Improper access control vulnerabilities in Smart Things prior to 1.7.93 allows to attacker to invite others without authorization of the owner.

SmartThings cloudNotifMgr <1.7.89 Improper Access via SHOW_PERSISTENT_BANNER
CVE-2022-39867 7.5 - High - October 07, 2022

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via SHOW_PERSISTENT_BANNER broadcast.

SmartThings <1.7.89.25: WifiSetupLaunchHelper Access via Implicit Intent
CVE-2022-39864 7.5 - High - October 07, 2022

Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 1.7.89.25 allows attackers to access sensitive information via implicit intent.

SmartThings <1.7.89.0 Improper Access Control in ContentsSharingActivity via Implicit Broadcast
CVE-2022-39865 7.5 - High - October 07, 2022

Improper access control vulnerability in ContentsSharingActivity.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

SmartThings Improper Access Control via RegisteredEventMediator.kt (pre-1.7.89.0)
CVE-2022-39866 7.5 - High - October 07, 2022

Improper access control vulnerability in RegisteredEventMediator.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

SmartThings 1.7.89.0 IoT Improper Access Control via Implicit Broadcast
CVE-2022-39868 7.5 - High - October 07, 2022

Improper access control vulnerability in GedSamsungAccount.kt SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcast.

SmartThings 1.7.89.0 Improper Access Control via REMOVE_PERSISTENT_BANNER
CVE-2022-39869 7.5 - High - October 07, 2022

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via REMOVE_PERSISTENT_BANNER broadcast.

Exposure of Resource to Wrong Sphere

SmartThings <1.7.89.0 IAC via PUSH_MESSAGE_RECEIVED broadcast
CVE-2022-39870 7.5 - High - October 07, 2022

Improper access control vulnerability in cloudNotificationManager.java SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via PUSH_MESSAGE_RECEIVED broadcast.

Exposure of Resource to Wrong Sphere

SmartThings 1.7.89.0 cloudNotificationManager Access Control Flaw
CVE-2022-39871 7.5 - High - October 07, 2022

Improper access control vulnerability cloudNotificationManager.java in SmartThings prior to version 1.7.89.0 allows attackers to access sensitive information via implicit broadcasts.

Exposure of Resource to Wrong Sphere

Improper access control vulnerability in Smart Things prior to 1.7.85.25
CVE-2022-30749 7.8 - High - June 07, 2022

Improper access control vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to add arbitrary smart devices by bypassing login activity.

authentification

Missing caller check in Smart Things prior to version 1.7.85.12
CVE-2022-30746 7.5 - High - June 07, 2022

Missing caller check in Smart Things prior to version 1.7.85.12 allows attacker to access senstive information remotely using javascript interface API.

AuthZ

PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25
CVE-2022-30747 5.5 - Medium - June 07, 2022

PendingIntent hijacking vulnerability in Smart Things prior to 1.7.85.25 allows local attackers to access files without permission via implicit Intent.

Incorrect Default Permissions

Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22
CVE-2021-25508 9.8 - Critical - November 05, 2021

Improper privilege management vulnerability in API Key used in SmartThings prior to 1.7.73.22 allows an attacker to abuse the API key without limitation.

Improper Privilege Management

Improper access control of certain port in SmartThings prior to version 1.7.63.6
CVE-2021-25378 5.3 - Medium - April 09, 2021

Improper access control of certain port in SmartThings prior to version 1.7.63.6 allows remote temporary denial of service.