Samsung SmartThings Auth Bypass via Improper Sign Verif on Hub API
CVE-2025-2233 Published on March 11, 2025

Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability
Samsung SmartThings Improper Verification of Cryptographic Signature Authentication Bypass Vulnerability. This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Samsung SmartThings. Authentication is not required to exploit this vulnerability. The specific flaw exists within the Hub Local API service, which listens on TCP port 8766 by default. The issue results from the lack of proper verification of a cryptographic signature. An attacker can leverage this vulnerability to bypass authentication on the system. Was ZDI-CAN-25615.

NVD

Weakness Type

Improper Verification of Cryptographic Signature

The software does not verify, or incorrectly verifies, the cryptographic signature for data.


Products Associated with CVE-2025-2233

Want to know whenever a new CVE is published for Samsung Smartthings? stack.watch will email you.

Samsung Smartthings
 

Affected Versions

Samsung SmartThings Version 000.054.00013 is affected by CVE-2025-2233

Exploit Probability

EPSS
0.07%
Percentile
22.17%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.