search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Samsung Magician fails to update itself securely

Vulnerability Note VU#846320

Original Release Date: 2017-06-15 | Last Revised: 2017-06-15


Samsung Magician fails to securely check for and retrieve updates, which an allow an authenticated attacker to execute arbitrary code with administrator privileges.


Samsung Magician is a management utility for Samsung SSDs. Prior to version 5.0, Samsung Magician checks for and retrieves updates over HTTP. Prior to version 5.1, Samsung Magician uses HTTPS to perform update operations, however it does not validate SSL certificates.


An attacker on the same network as, or who can otherwise affect network traffic from, a Samsung Magician user can cause the Magician update process to execute arbitrary code with system administrator privileges.


Apply an update

This issue is addressed in Samsung Magician 5.1. Note that because the update mechanism is vulnerable, do not use the self-update mechanism for Samsung Magician to obtain the fixed version.

Avoid untrusted networks

Avoid using untrusted networks, including public WiFi. Using your device on an untrusted network increases the chance of falling victim to a MITM attack.

Vendor Information


Samsung Memory Affected

Notified:  April 24, 2017 Updated: June 15, 2017



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

CVSS Metrics

Group Score Vector
Base 8.3 AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal 6.5 E:POC/RL:OF/RC:C
Environmental 4.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND



This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2017-3218
Date Public: 2017-06-15
Date First Published: 2017-06-15
Date Last Updated: 2017-06-15 15:45 UTC
Document Revision: 13

Sponsored by CISA.