CISA Highlights 8 Actively Exploited Vulnerabilities in Samsung and D-Link Devices


Published on Jul 3, 2023   —   3 min read

Photo by Etienne Girardet / Unsplash

Federal agencies required to apply fixes by July 20, 2023


Greetings, cybersecurity aficionados! We are embarking on another exploration into the ever-evolving world of cyber threats. Our focus today is on a fresh development in the cybersecurity landscape — the exploitation of eight significant vulnerabilities. Six of these vulnerabilities affect Samsung mobile devices, and two are found in D-Link devices.

These vulnerabilities, previously patched in 2021, have resurfaced as active threats, indicating their potential misuse by cybercriminals. The exploitation of these flaws could range from causing race conditions in Samsung devices to remote code execution in D-Link routers.

In this blog post, we will be delving into these actively exploited vulnerabilities, discussing their nature, potential impacts, and the measures taken to mitigate these threats.

Details about the Exploited Flaws

The eight vulnerabilities highlighted by CISA span across six flaws in Samsung mobile devices and two in D-Link devices, each with varying degrees of severity as indicated by their respective CVSS scores.

In the case of the Samsung vulnerabilities:

  • CVE-2021-25394 and CVE-2021-25395 (both with a CVSS score of 6.4) are race condition vulnerabilities. A race condition is a type of flaw that occurs when the outcome of an event depends on the sequence or timing of other uncontrollable events. It becomes a significant issue when the undesired sequence happens and leads to an unfavorable event, such as a security breach or system failure.
  • CVE-2021-25371 and CVE-2021-25372 (both with a CVSS score of 6.7) are tied to the DSP driver used in Samsung mobile devices. The first flaw allows for the loading of arbitrary ELF libraries, and the second involves an improper boundary check within the same DSP driver. Both vulnerabilities could be exploited to tamper with the normal functioning of the device or to carry out further attacks.
  • CVE-2021-25487 (with a CVSS score of 7.8) is an out-of-bounds read vulnerability that could lead to arbitrary code execution. This kind of flaw happens when software reads data past the end, or before the start, of an intended buffer. It often results in a crash, exploitation of the system, or an information leak.
  • CVE-2021-25489 (with a CVSS score of 5.5) involves improper input validation that could result in kernel panic. A kernel panic is a safety measure taken by an operating system's kernel upon detecting an internal fatal error from which it cannot safely recover.

As for the D-Link vulnerabilities:

  • CVE-2019-17621 (with a CVSS score of 9.8) is a particularly severe vulnerability involving unauthenticated remote code execution in D-Link DIR-859 Router. Remote code execution vulnerabilities allow an attacker to execute arbitrary commands on a system without any user interaction.
  • CVE-2019-20500 (with a CVSS score of 7.8) is an authenticated OS command injection vulnerability in D-Link DWL-2600AP. Command injection vulnerabilities occur when an application passes unsafe user-supplied data to a system shell, allowing a malicious user to execute arbitrary commands in the context of the application​1​.

This comprehensive catalog of actively exploited vulnerabilities should serve as a stark reminder of the ongoing efforts by threat actors to exploit system weaknesses for their own nefarious ends.

Implications and Required Action

While the methods by which these Samsung vulnerabilities are being exploited in the wild remain unclear, the targeted nature of the attacks suggests potential use by a commercial spyware vendor. Additionally, the D-Link vulnerabilities have been associated with threat actors linked to a Mirai botnet variant, used in propagating malware across various IoT devices.

Given the seriousness of these threats, the Federal Civilian Executive Branch (FCEB) agencies are required to apply necessary fixes by July 20, 2023, to secure their networks against these potential threats.


As we navigate the complex world of cybersecurity, the re-emergence and active exploitation of these eight vulnerabilities remind us of the importance of vigilance and proactive defense. These security loopholes are testing our understanding of threat detection and mitigation. By comprehending their intricacies and ensuring the application of necessary patches and updates, we can turn the tide in our favor.

Remember, in our rapidly evolving cyber landscape, staying informed, updated, and prepared is our best defense. So let's continue to be vigilant in our quest for cybersecurity, ensuring safety in the face of emerging cyber threats​​.

Share on Facebook Share on Linkedin Share on Twitter Send by email

Subscribe to the newsletter

Subscribe to the newsletter for the latest news and work updates straight to your inbox, every week.