1. EXECUTIVE SUMMARY
- CVSS v4 7.5
- ATTENTION: Exploitable remotely
- Vendor: Samsung
- Equipment: HVAC DMS
- Vulnerabilities: Execution After Redirect (EAR), Deserialization of Untrusted Data, Absolute Path Traversal, Use of Potentially Dangerous Function, Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’), Relative Path Traversal
2. RISK EVALUATION
Successful exploitation of these vulnerabilities can lead to unauthenticated remote code execution.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following versions of Samsung HVAC DMS, a software management platform, are affected:
- Samsung HVAC DMS: Versions 2.0.0 to 2.3.13.0, Versions 2.5.0.17 to 2.6.14.0, Versions 2.7.0.15 to 2.9.3.5
3.2 Vulnerability Overview
3.2.1 EXECUTION AFTER REDIRECT (EAR) CWE-698
An execution after redirect in Samsung DMS (Data Management Server) allows attackers to execute limited functions without permissions. An attacker could compromise the integrity of the platform by executing this vulnerability.
CVE-2025-53077 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).
A CVSS v4 score has also been calculated for CVE-2025-53077. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).
3.2.2 […]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from All CISA Advisories
Read the original article:
Read the original article: