CVE-2025-66369 Overview
CVE-2025-66369 affects the Mobility Management (MM) component in Samsung Exynos mobile, wearable, and modem processors. The vulnerability stems from incorrect handling of 5G New Radio (NR) Non-Access Stratum (NAS) registration accept messages. An attacker on the network can trigger a Denial of Service (DoS) condition on affected baseband processors. The flaw maps to [CWE-770] Allocation of Resources Without Limits or Throttling. Samsung published advisory details for the affected Exynos chipsets. The issue impacts a broad range of Samsung silicon used in smartphones, wearables, and standalone modems.
Critical Impact
A network-adjacent attacker can disrupt 5G NR baseband connectivity on affected Samsung Exynos devices by sending malformed NAS registration accept messages, causing modem-level Denial of Service.
Affected Products
- Samsung Mobile Processor Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580
- Samsung Wearable Processor Exynos W920, W930, W1000
- Samsung Modem 5123 and Modem 5300
Discovery Timeline
- 2026-05-05 - CVE-2025-66369 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2025-66369
Vulnerability Analysis
The vulnerability resides in the Mobility Management (MM) layer of the Samsung Exynos baseband stack. The MM layer processes 5G NR Non-Access Stratum (NAS) signaling between the user equipment (UE) and the core network. A registration accept message is sent by the Access and Mobility Management Function (AMF) to confirm a UE's registration with the 5G network. Incorrect handling of malformed or unexpected fields in this message causes the modem firmware to enter an inconsistent state. The result is loss of cellular service availability on the affected device.
The issue is classified under [CWE-770], indicating that resources are allocated without sufficient limits or validation. The impact is restricted to availability, with no confidentiality or integrity compromise.
Root Cause
The baseband firmware fails to validate or bound resources when parsing specific elements of the 5G NR NAS registration accept message. Crafted message contents trigger excessive resource consumption or processing failure within the MM component. The condition manifests as a modem crash or hang, terminating cellular connectivity until reset.
Attack Vector
Exploitation requires the victim device to receive a malicious 5G NR NAS registration accept message. An adversary operating a rogue base station or false 5G core can deliver such a message during a registration procedure. No user interaction or authentication is required, since NAS registration accept handling occurs before authenticated session state is fully established. The vulnerability is reachable over the radio interface within range of the targeted device.
Verified exploit code is not publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. See the Samsung CVE-2025-66369 Details advisory for vendor technical references.
Detection Methods for CVE-2025-66369
Indicators of Compromise
- Repeated unexpected modem resets or baseband crashes correlated with 5G NR registration attempts.
- Sudden loss of cellular connectivity on Exynos-based devices in proximity to unknown or unauthorized base stations.
- Device logs showing NAS registration failures followed by modem subsystem restart events.
Detection Strategies
- Monitor mobile device management (MDM) telemetry for abnormal modem reboot frequency on Samsung Exynos hardware.
- Correlate cellular outages across multiple devices in the same physical area to identify potential rogue base station activity.
- Review baseband firmware version inventories to identify unpatched Exynos chipsets across the device fleet.
Monitoring Recommendations
- Track Samsung security advisories at the Samsung Security Updates portal for firmware revisions.
- Maintain an asset inventory of devices using affected Exynos processors and modems.
- Use enterprise mobility tools to alert on devices reporting persistent cellular connectivity loss.
How to Mitigate CVE-2025-66369
Immediate Actions Required
- Apply Samsung-provided baseband firmware updates to all affected Exynos mobile, wearable, and modem devices.
- Identify and inventory devices using Exynos 980, 990, 850, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, W920, W930, W1000, Modem 5123, or Modem 5300.
- Prioritize patching for high-value users and devices operating in environments with elevated radio threat exposure.
Patch Information
Samsung addressed CVE-2025-66369 through firmware updates distributed via downstream device manufacturers and carrier channels. Affected device owners should install the latest available system updates. Refer to the Samsung CVE-2025-66369 Details page for vendor-specific guidance.
Workarounds
- Disable 5G NR mode on devices that cannot be patched immediately, forcing fallback to LTE where supported.
- Avoid connecting to unknown or untrusted cellular networks in regions where rogue base station activity is suspected.
- Restart affected devices to restore cellular service after a triggered Denial of Service event.
# Configuration example
# Verify device firmware build and apply pending updates (Android example)
adb shell getprop ro.build.version.incremental
adb shell settings get global ota_update_url
# Trigger system update check via Settings > Software update > Download and install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
