CVE-2025-20999: 
NixOS vulnerability analysis and mitigation

Improper authorization in accessing saved Wi-Fi password for Galaxy Tablet prior to SMR Jul-2025 Release 1 allows secondary users to access owner's saved Wi-Fi password. The vulnerability, identified as CVE-2025-20999, was discovered on March 2, 2025, and affects Android versions 13, 14, and 15. This security issue was privately disclosed to Samsung Mobile and received a CVSS v3.1 base score of 2.1 (LOW) from NIST NVD, while Samsung Mobile assessed it with a higher CVSS score of 4.1 (MEDIUM) (Samsung Advisory).

The vulnerability is classified under CWE-863 (Incorrect Authorization) and received different severity assessments from NIST and Samsung Mobile. NIST assigned a CVSS v3.1 base score of 2.1 (LOW) with vector string CVSS:3.1/AV:P/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N, while Samsung Mobile rated it at 4.1 (MEDIUM) with vector string CVSS:3.1/AV:P/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N. The vulnerability specifically affects the Wi-Fi password storage mechanism in Galaxy Tablet devices (NVD Database).

The vulnerability allows secondary users of Galaxy Tablet devices to access the owner's saved Wi-Fi passwords, potentially compromising network security and privacy. This unauthorized access could lead to secondary users gaining access to networks they shouldn't have permission to join (Samsung Advisory).

Samsung has addressed this vulnerability in the July 2025 Security Maintenance Release (SMR Jul-2025 Release 1) by adding proper authorization verification logic. Users are advised to update their Galaxy Tablet devices to this security patch level to protect against unauthorized access to Wi-Fi passwords (Samsung Advisory).