CVE-2019-16256

CVSS 9.8 CRITICALEPSS 4.9%● KEV

In short

A flaw in Samsung's SIM card browser allows attackers to send specially crafted text messages that trick the SIM card into revealing your location, phone ID (IMEI), and other sensitive data, or executing unauthorized commands.

Technical detail

The vulnerability exists in the SIMalliance Toolbox Browser on the UICC, which processes SIM Toolkit (STK) instructions from SMS messages without proper validation. Remote attackers can craft malicious SMS messages containing STK commands to exfiltrate location data, IMEI, and other sensitive information, or execute arbitrary commands on the device's SIM card.

Summary generated and translated by AI from the official description.

Some Samsung devices include the SIMalliance Toolbox Browser (aka S@T Browser) on the UICC, which might allow remote attackers to retrieve location and IMEI information, or retrieve other data or execute certain commands, via SIM Toolkit (STK) instructions in an SMS message, aka Simjacker.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.adaptivemobile.com/blog/simjacker-next-generation-spying-over-mobile https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2019-16256