CVE-2022-39903 is an improper access control vulnerability affecting Samsung Mobile Devices, specifically certain models running Android versions Q (10), R (11), S (12), and T (13) that support Rich Communication Services (RCS). The vulnerability arises from insufficient restrictions on access to RCS incoming call numbers prior to the December 2022 Security Maintenance Release (SMR). This flaw allows a local attacker—someone with physical or logical access to the device—to retrieve sensitive information, namely the phone number associated with an incoming RCS call, without proper authorization. The vulnerability is categorized under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. Since the flaw requires local access, it does not enable remote exploitation, and there are no known exploits in the wild as of the publication date. The issue affects multiple recent Samsung device generations, indicating a broad potential impact across Samsung's mobile user base. The lack of a patch link suggests that remediation is expected through Samsung's regular security updates, specifically the SMR December 2022 release or later. The vulnerability primarily compromises confidentiality by exposing private call information, but it does not directly affect system integrity or availability. Exploitation does not require user interaction beyond local access, and the scope is limited to devices supporting RCS with the affected Android versions.

For European organizations, this vulnerability poses a moderate risk primarily to employees using affected Samsung mobile devices. Exposure of incoming RCS call numbers could lead to privacy violations, targeted social engineering, or reconnaissance by malicious insiders or attackers with physical device access. Organizations handling sensitive communications or operating in regulated sectors such as finance, healthcare, or government may face compliance challenges if call metadata is exposed. While the vulnerability does not enable remote compromise or direct system control, the leakage of call information could facilitate further attacks or data correlation efforts. The impact is more pronounced in environments where devices are shared, lost, or stolen, or where attackers have the opportunity for local access. Given the widespread use of Samsung devices in Europe, especially in corporate and consumer sectors, the vulnerability could affect a significant number of users, potentially undermining trust in mobile communication confidentiality.

Organizations should ensure that all Samsung mobile devices are updated promptly with the December 2022 SMR or later security patches provided by Samsung. IT departments should enforce mobile device management (MDM) policies that restrict physical and logical access to devices, including strong lock screen authentication and encryption. Limiting the installation of untrusted applications and monitoring for unusual local access attempts can reduce exploitation risk. For high-security environments, consider disabling RCS functionality if not essential, or using alternative secure communication platforms with stronger access controls. Additionally, organizations should educate users on the risks of local device access and implement procedures for rapid reporting and response to lost or stolen devices. Regular audits of device security posture and compliance with patch management policies will help mitigate exposure to this vulnerability.