ICS Advisory

Samsung HVAC DMS

Release Date
Alert Code
ICSA-25-210-02
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v4 7.5
  • ATTENTION: Exploitable remotely
  • Vendor: Samsung
  • Equipment: HVAC DMS
  • Vulnerabilities: Execution After Redirect (EAR), Deserialization of Untrusted Data, Absolute Path Traversal, Use of Potentially Dangerous Function, Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Relative Path Traversal

2. RISK EVALUATION

Successful exploitation of these vulnerabilities can lead to unauthenticated remote code execution.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Samsung HVAC DMS, a software management platform, are affected:

  • Samsung HVAC DMS: Versions 2.0.0 to 2.3.13.0, Versions 2.5.0.17 to 2.6.14.0, Versions 2.7.0.15 to 2.9.3.5

3.2 Vulnerability Overview

3.2.1 EXECUTION AFTER REDIRECT (EAR) CWE-698

An execution after redirect in Samsung DMS (Data Management Server) allows attackers to execute limited functions without permissions. An attacker could compromise the integrity of the platform by executing this vulnerability.

CVE-2025-53077 has been assigned to this vulnerability. A CVSS v3.1 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L).

A CVSS v4 score has also been calculated for CVE-2025-53077. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N).

3.2.2 DESERIALIZATION OF UNTRUSTED DATA CWE-502

Deserialization of Untrusted Data in Samsung DMS (Data Management Server) allows attackers to execute arbitary code via write file to system.

CVE-2025-53078 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.0 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53078. A base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.3 ABSOLUTE PATH TRAVERSAL CWE-36

Absolute Path Traversal in Samsung DMS (Data Management Server) allows authenticated attacker (Administrator) to read sensitive files.

CVE-2025-53079 has been assigned to this vulnerability. A CVSS v3.1 base score of 4.9 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N).

A CVSS v4 score has also been calculated for CVE-2025-53079. A base score of 6.9 has been calculated; the CVSS vector string is (AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N).

3.2.4 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in Samsung DMS (Data Management Server) allows authenticated attackers to create arbitary files in unintended locations on the filesystem.

CVE-2025-53080 has been assigned to this vulnerability. A CVSS v3.1 base score of 7.1 has been calculated; the CVSS vector string is (AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53080. A base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.5 IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY PATHNAME TO A RESTRICTED DIRECTORY ('PATH TRAVERSAL') CWE-22

An 'Arbitary File Creation' in Samsung DMS (Data Management Server) allows attackers to create arbitary files in unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.

CVE-2025-53081 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.3 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53081. A base score of 7.2 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N).

3.2.6 RELATIVE PATH TRAVERSAL CWE-23

An 'Arbitary File Deletion' in Samsung DMS (Data Management Server) allows attackers to delete arbitary files from unintended locations on the filesystem. Exploitation is restricted to specific, authorized private IP addresses.

CVE-2025-53082 has been assigned to this vulnerability. A CVSS v3.1 base score of 8.1 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H).

A CVSS v4 score has also been calculated for CVE-2025-53082. A base score of 7.2 has been calculated; the CVSS vector string is (AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Commercial Facilities, Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: South Korea

3.4 RESEARCHER

Noam Moshe of Claroty Team82 reported these vulnerabilities to CISA.

4. MITIGATIONS

Samsung recommends users to contact a Samsung call center or installer for a software update.

This product is not intended to be connected to the Internet, so please disconnect it from the Internet. Refer to the following statement in the manual: "Use this product only in a separate dedicated network. Samsung Electronics is not liable for any problems caused by connecting it to the Internet or an intranet."

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities, such as:

  • Minimize network exposure for all control system devices and/or systems, ensuring they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as the connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities have a high attack complexity.

5. UPDATE HISTORY

  • July 29, 2025: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

  • Samsung

Tags

Sector: Commercial Facilities Sector, Critical Manufacturing Sector
Topics: Industrial Control System Vulnerabilities, Industrial Control Systems

Please share your thoughts

We recently updated our anonymous product survey; we welcome your feedback.

Related Advisories