CVE-2013-3586

Samsung Smart Viewer - Unauthenticated Authentication Bypass via SessionID Cookie

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2013-3586. PoCs published by Andrea Fabrizi.

AI-analyzed exploit summary The exploit demonstrates an authentication bypass vulnerability in Samsung DVR firmware <= 1.10 by sending a crafted cookie to access protected CGI endpoints. It includes functional Python code to dump user credentials via the `/cgi-bin/setup_user` endpoint.

Description

Samsung Web Viewer for Samsung DVR devices allows remote attackers to bypass authentication via an arbitrary SessionID value in a cookie.

Exploits (1)

exploitdb WORKING POC

by Andrea Fabrizi · textwebappshardware

https://www.exploit-db.com/exploits/27753

View Code ZIP pw:eip

The exploit demonstrates an authentication bypass vulnerability in Samsung DVR firmware <= 1.10 by sending a crafted cookie to access protected CGI endpoints. It includes functional Python code to dump user credentials via the `/cgi-bin/setup_user` endpoint.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Samsung DVR firmware <= 1.10

No auth needed

Prerequisites: Network access to the target DVR · Web interface exposed

MITRE ATT&CK

T1189 - Drive-by Compromise T1552 - Unsecured Credentials

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1

Core References

US Government Resource third-party-advisory x_refsource_cert-vn

http://www.kb.cert.org/vuls/id/882286

Scores

EPSS 0.1161

EPSS Percentile 95.5%

Details

CWE

CWE-287

Status published

Products (2)

samsung/dvr

samsung/smart_viewer

Published Aug 28, 2013

Tracked Since Feb 18, 2026