CVE-2025-54328 Overview
A critical stack-based buffer overflow vulnerability has been identified in the SMS parsing functionality of Samsung Exynos mobile processors, wearable processors, and modems. The vulnerability exists in the code responsible for parsing SMS RP-DATA (Relay Protocol Data) messages, which are fundamental to SMS transmission in cellular networks. When a maliciously crafted SMS RP-DATA message is processed by an affected device, the insufficient bounds checking allows an attacker to overflow the stack buffer, potentially leading to arbitrary code execution at the baseband processor level.
This vulnerability is particularly severe because it can be exploited remotely over the cellular network without requiring any user interaction or authentication. An attacker only needs to know the victim's phone number to send a specially crafted SMS message that triggers the vulnerability.
Critical Impact
Remote code execution at the baseband processor level via malicious SMS messages, requiring no user interaction and potentially affecting millions of Samsung devices including smartphones and wearables.
Affected Products
- Samsung Exynos Mobile Processors: 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500
- Samsung Exynos Wearable Processors: 9110, W920, W930, W1000
- Samsung Exynos Modems: 5123, 5300, 5400
Discovery Timeline
- April 6, 2026 - CVE-2025-54328 published to NVD
- April 7, 2026 - Last updated in NVD database
Technical Details for CVE-2025-54328
Vulnerability Analysis
The vulnerability resides in the SMS RP-DATA message parsing routine within the baseband firmware of affected Samsung Exynos processors. SMS RP-DATA messages are part of the Short Message Relay Layer (SM-RL) protocol defined in 3GPP TS 24.011, which handles the reliable transfer of SMS messages between the mobile device and the Short Message Service Center (SMSC).
The baseband processor handles these messages at a very low level, separate from the main application processor running Android or other operating systems. This makes the vulnerability particularly dangerous as exploitation occurs before any operating system-level security controls can intervene. Code execution at the baseband level could allow an attacker to intercept calls and SMS messages, access cellular network credentials, or potentially pivot to compromise the main application processor.
Root Cause
The root cause is CWE-121: Stack-based Buffer Overflow. The SMS RP-DATA parsing function allocates a fixed-size stack buffer for processing incoming message elements but fails to properly validate the length fields within the RP-DATA Information Element (IE) structures before copying data. When an attacker sends an RP-DATA message with oversized length values, the parsing routine writes beyond the allocated stack buffer boundaries, corrupting adjacent stack memory including return addresses and saved registers.
Attack Vector
The attack can be executed remotely over the cellular network by sending a specially crafted SMS message to the target device. The attack characteristics include:
- Network-based delivery: The malicious SMS can be sent from any device or service capable of sending SMS messages
- Zero-click exploitation: No user interaction is required; the vulnerability triggers during automatic message processing
- No authentication required: The attacker only needs the victim's phone number
- Cross-scope impact: Successful exploitation at the baseband level can affect both the modem subsystem and potentially the main application processor
The exploitation process involves sending an SMS RP-DATA message containing malformed length fields that cause the baseband firmware to write attacker-controlled data past the end of a stack buffer. By carefully constructing the overflow payload, an attacker can overwrite the return address on the stack and redirect execution to shellcode embedded within the SMS payload itself.
Detection Methods for CVE-2025-54328
Indicators of Compromise
- Unusual baseband processor crashes or device reboots without apparent cause
- Unexpected SMS message processing errors logged in device diagnostic logs
- Anomalous network traffic patterns from the cellular modem subsystem
- Device exhibiting signs of compromise such as unauthorized call forwarding or message interception
Detection Strategies
- Monitor for devices experiencing repeated baseband processor crashes or unexpected restarts
- Implement network-level SMS filtering at the carrier level to detect malformed RP-DATA messages with anomalous length fields
- Deploy mobile device management (MDM) solutions that can monitor device health and detect baseband-level anomalies
- Review cellular network logs for unusual SMS delivery patterns targeting specific device models
Monitoring Recommendations
- Enable enhanced logging on affected devices where available to capture baseband processor events
- Implement carrier-side SMS firewall rules to inspect and filter RP-DATA messages with suspicious characteristics
- Monitor for security advisories from Samsung regarding firmware updates for affected processors
- Track device telemetry for patterns indicating exploitation attempts across device fleets
How to Mitigate CVE-2025-54328
Immediate Actions Required
- Apply Samsung firmware updates as soon as they become available for affected processors
- Contact device manufacturers for patch availability timelines for specific device models
- Consider temporarily disabling SMS functionality on high-value targets until patches are deployed
- Implement carrier-level SMS filtering if available to block malformed messages
Patch Information
Samsung has acknowledged this vulnerability and published security update information. Device owners should check for firmware updates through their device manufacturer's update channels. The baseband firmware updates are typically delivered as part of device system updates.
For detailed patch information, refer to Samsung Product Security Updates and Samsung CVE-2025-54328 Advisory.
Workarounds
- Enable VoLTE-only mode if supported, as this may reduce exposure to legacy SMS-based attacks
- Use alternative messaging platforms (Signal, WhatsApp, etc.) instead of SMS where possible
- For enterprise environments, implement MDM policies to restrict SMS functionality on high-risk devices
- Work with cellular carriers to enable SMS filtering or firewall capabilities at the network level
- Consider using eSIM profiles that may allow quicker firmware updates for modem components
# Check device baseband version on Android
adb shell getprop gsm.version.baseband
# Monitor for baseband crashes in device logs
adb logcat -b radio | grep -i "crash\|overflow\|exception"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
