CVE-2025-20999: 
NixOS vulnerability analysis and mitigation

Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password. The vulnerability, identified as CVE-2025-20999, affects Android versions 13, 14, and 15. It was reported on March 2, 2025, and was privately disclosed to Samsung Mobile (Samsung Mobile).

The vulnerability has been assigned a CVSS v3.1 base score of 4.1 MEDIUM by Samsung Mobile, with a vector string of CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The NVD assessment differs slightly with a base score of 2.1 LOW and vector string CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified under CWE-863 (Incorrect Authorization) (NVD).

The vulnerability allows secondary users to access the device owner's saved Wi-Fi passwords, potentially compromising the privacy and security of the owner's Wi-Fi network connections (Samsung Mobile).

Samsung has addressed this vulnerability in the July 2025 Security Maintenance Release (SMR Jul-2025 Release 1) by adding proper authorization verification logic. Users are advised to update their devices to this release to protect against potential exploitation (Samsung Mobile).