CVE-2022-39903: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Samsung Mobile Samsung Mobile Devices
Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.
AI Analysis
Technical Summary
CVE-2022-39903 is an improper access control vulnerability affecting Samsung Mobile Devices, specifically certain models running Android versions Q (10), R (11), S (12), and T (13) that support Rich Communication Services (RCS). The vulnerability arises from insufficient restrictions on access to RCS incoming call numbers prior to the December 2022 Security Maintenance Release (SMR). This flaw allows a local attacker—someone with physical or logical access to the device—to retrieve sensitive information, namely the phone number associated with an incoming RCS call, without proper authorization. The vulnerability is categorized under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. Since the flaw requires local access, it does not enable remote exploitation, and there are no known exploits in the wild as of the publication date. The issue affects multiple recent Samsung device generations, indicating a broad potential impact across Samsung's mobile user base. The lack of a patch link suggests that remediation is expected through Samsung's regular security updates, specifically the SMR December 2022 release or later. The vulnerability primarily compromises confidentiality by exposing private call information, but it does not directly affect system integrity or availability. Exploitation does not require user interaction beyond local access, and the scope is limited to devices supporting RCS with the affected Android versions.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to employees using affected Samsung mobile devices. Exposure of incoming RCS call numbers could lead to privacy violations, targeted social engineering, or reconnaissance by malicious insiders or attackers with physical device access. Organizations handling sensitive communications or operating in regulated sectors such as finance, healthcare, or government may face compliance challenges if call metadata is exposed. While the vulnerability does not enable remote compromise or direct system control, the leakage of call information could facilitate further attacks or data correlation efforts. The impact is more pronounced in environments where devices are shared, lost, or stolen, or where attackers have the opportunity for local access. Given the widespread use of Samsung devices in Europe, especially in corporate and consumer sectors, the vulnerability could affect a significant number of users, potentially undermining trust in mobile communication confidentiality.
Mitigation Recommendations
Organizations should ensure that all Samsung mobile devices are updated promptly with the December 2022 SMR or later security patches provided by Samsung. IT departments should enforce mobile device management (MDM) policies that restrict physical and logical access to devices, including strong lock screen authentication and encryption. Limiting the installation of untrusted applications and monitoring for unusual local access attempts can reduce exploitation risk. For high-security environments, consider disabling RCS functionality if not essential, or using alternative secure communication platforms with stronger access controls. Additionally, organizations should educate users on the risks of local device access and implement procedures for rapid reporting and response to lost or stolen devices. Regular audits of device security posture and compliance with patch management policies will help mitigate exposure to this vulnerability.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Sweden, Belgium, Austria
CVE-2022-39903: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in Samsung Mobile Samsung Mobile Devices
Description
Improper access control vulnerability in RCS call prior to SMR Dec-2022 Release 1 allows local attackers to access RCS incoming call number.
AI-Powered Analysis
Technical Analysis
CVE-2022-39903 is an improper access control vulnerability affecting Samsung Mobile Devices, specifically certain models running Android versions Q (10), R (11), S (12), and T (13) that support Rich Communication Services (RCS). The vulnerability arises from insufficient restrictions on access to RCS incoming call numbers prior to the December 2022 Security Maintenance Release (SMR). This flaw allows a local attacker—someone with physical or logical access to the device—to retrieve sensitive information, namely the phone number associated with an incoming RCS call, without proper authorization. The vulnerability is categorized under CWE-200, which pertains to the exposure of sensitive information to unauthorized actors. Since the flaw requires local access, it does not enable remote exploitation, and there are no known exploits in the wild as of the publication date. The issue affects multiple recent Samsung device generations, indicating a broad potential impact across Samsung's mobile user base. The lack of a patch link suggests that remediation is expected through Samsung's regular security updates, specifically the SMR December 2022 release or later. The vulnerability primarily compromises confidentiality by exposing private call information, but it does not directly affect system integrity or availability. Exploitation does not require user interaction beyond local access, and the scope is limited to devices supporting RCS with the affected Android versions.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to employees using affected Samsung mobile devices. Exposure of incoming RCS call numbers could lead to privacy violations, targeted social engineering, or reconnaissance by malicious insiders or attackers with physical device access. Organizations handling sensitive communications or operating in regulated sectors such as finance, healthcare, or government may face compliance challenges if call metadata is exposed. While the vulnerability does not enable remote compromise or direct system control, the leakage of call information could facilitate further attacks or data correlation efforts. The impact is more pronounced in environments where devices are shared, lost, or stolen, or where attackers have the opportunity for local access. Given the widespread use of Samsung devices in Europe, especially in corporate and consumer sectors, the vulnerability could affect a significant number of users, potentially undermining trust in mobile communication confidentiality.
Mitigation Recommendations
Organizations should ensure that all Samsung mobile devices are updated promptly with the December 2022 SMR or later security patches provided by Samsung. IT departments should enforce mobile device management (MDM) policies that restrict physical and logical access to devices, including strong lock screen authentication and encryption. Limiting the installation of untrusted applications and monitoring for unusual local access attempts can reduce exploitation risk. For high-security environments, consider disabling RCS functionality if not essential, or using alternative secure communication platforms with stronger access controls. Additionally, organizations should educate users on the risks of local device access and implement procedures for rapid reporting and response to lost or stolen devices. Regular audits of device security posture and compliance with patch management policies will help mitigate exposure to this vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Samsung Mobile
- Date Reserved
- 2022-09-05T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9848c4522896dcbf60a6
Added to database: 5/21/2025, 9:09:28 AM
Last enriched: 6/22/2025, 4:49:49 AM
Last updated: 8/12/2025, 1:18:55 AM
Views: 12
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.