{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-20998", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "state": "PUBLISHED", "assignerShortName": "SamsungMobile", "dateReserved": "2025-12-11T01:33:35.801Z", "datePublished": "2026-03-16T04:32:06.400Z", "dateUpdated": "2026-03-16T13:19:35.805Z"}, "containers": {"cna": {"problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-287 - Improper Authentication"}]}], "affected": [{"vendor": "Samsung Mobile", "product": "Smart Switch", "versions": [{"status": "unaffected", "version": "3.7.69.15"}], "defaultStatus": "affected"}], "descriptions": [{"lang": "en", "value": "Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication."}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "baseSeverity": "HIGH"}}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:32:06.400Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:12:34.781402Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:19:35.805Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-20998", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-16T13:12:34.781402Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-16T13:15:54.304Z"}}], "cna": {"metrics": [{"format": "CVSS", "cvssV4_0": {"version": "4.0", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Samsung Mobile", "product": "Smart Switch", "versions": [{"status": "unaffected", "version": "3.7.69.15"}], "defaultStatus": "affected"}], "references": [{"url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "descriptions": [{"lang": "en", "value": "Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-287 - Improper Authentication"}]}], "providerMetadata": {"orgId": "3af57064-a867-422c-b2ad-40307b65c458", "shortName": "SamsungMobile", "dateUpdated": "2026-03-16T04:32:06.400Z"}}}, "cveMetadata": {"cveId": "CVE-2026-20998", "state": "PUBLISHED", "dateUpdated": "2026-03-16T13:19:35.805Z", "dateReserved": "2025-12-11T01:33:35.801Z", "assignerOrgId": "3af57064-a867-422c-b2ad-40307b65c458", "datePublished": "2026-03-16T04:32:06.400Z", "assignerShortName": "SamsungMobile"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samsung:smart_switch:*:*:*:*:*:*:*:*", "matchCriteriaId": "37A46437-F1AB-40DC-B7FC-77D3CE8047EE", "versionEndExcluding": "3.7.69.15", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper authentication in Smart Switch prior to version 3.7.69.15 allows remote attackers to bypass authentication."}, {"lang": "es", "value": "Autenticaci\u00f3n incorrecta en Smart Switch anterior a la versi\u00f3n 3.7.69.15 permite a atacantes remotos eludir la autenticaci\u00f3n."}], "id": "CVE-2026-20998", "lastModified": "2026-03-31T00:34:49.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "mobile.security@samsung.com", "type": "Secondary"}]}, "published": "2026-03-16T14:18:10.827", "references": [{"source": "mobile.security@samsung.com", "tags": ["Vendor Advisory"], "url": "https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=03"}], "sourceIdentifier": "mobile.security@samsung.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "unaffected", "versions": {"scheme": "generic", "value": "3.7.69.15"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.7.69.15)"}}], "enrichment": {"confidence": 85.0, "confidence_source": "matching", "scores": [{"score": 85.0, "source": "matching"}]}, "original": {"product": "Smart Switch", "source": "cna", "vendor": "Samsung Mobile"}, "product": "smart_switch", "vendor": "samsung"}], "analysis": {"en": {"generated_at": "2026-04-01T05:51:34.550691+00:00", "value": {"mitigation_remediation": ["Update Samsung Mobile Smart Switch to version 3.7.69.15 or later", "Consult Samsung\u2019s advisory page for additional guidance"], "summary": {"action": "Patch Now", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Affected are Samsung Mobile Smart Switch clients running versions earlier than 3.7.69.15. The flaw exists across all devices that use the Smart Switch application before that version.", "description_and_impact": "The vulnerability is an improper authentication flaw that allows remote attackers to bypass authentication in Samsung Mobile Smart Switch, enabling unauthorized access to protected functions. This could let attackers perform unauthenticated operations, potentially compromising the confidentiality and integrity of user data.", "risk_and_exploitability": "The CVSS score of 7.1 indicates a high impact with potential for remote exploitation. EPSS is under 1%, showing a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need remote access to the device and could bypass the authentication mechanism without additional prerequisites, potentially leading to unauthorized use of the application."}}}}, "created": "2026-03-17T09:55:10.540367+00:00", "title": "Remote Authentication Bypass in Samsung Mobile Smart Switch", "updated": "2026-04-02T08:00:14.983169+00:00", "vendors": ["samsung", "samsung$PRODUCT$smart_switch"], "weaknesses": ["CWE-284"]}