Vulnerability Details : CVE-2019-16256
Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an SMS message, aka Simjacker.
Products affected by CVE-2019-16256
- cpe:2.3:o:samsung:samsung_firmware:-:*:*:*:*:*:*:*
CVE-2019-16256 is in the CISA Known Exploited Vulnerabilities Catalog
CISA vulnerability name:
SIMalliance Toolbox Browser Command Injection Vulnerability
CISA required action:
Apply updates per vendor instructions.
CISA description:
SIMalliance Toolbox Browser contains an command injection vulnerability that could allow remote attackers to retrieve location and IMEI information or execute a range of other attacks by modifying the attack message.
Notes:
https://nvd.nist.gov/vuln/detail/CVE-2019-16256
Added on
2021-11-03
Action due date
2022-05-03
Exploit prediction scoring system (EPSS) score for CVE-2019-16256
4.42%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 91 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2019-16256
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
7.5
|
HIGH | AV:N/AC:L/Au:N/C:P/I:P/A:P |
10.0
|
6.4
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
References for CVE-2019-16256
-
https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile
Simjacker – Next Generation Spying Over Mobile | Mobile Security News | AdaptiveMobileExploit;Third Party Advisory
Jump to