PatchSiren

PatchSiren cyber security CVE debrief

CVE-2016-1920 Samsung CVE debrief

CVE-2016-1920 describes a trust issue in Samsung KNOX 1.0.0 on Android where use of a shared certificate can allow a local user to carry out a man-in-the-middle attack. The NVD record classifies the issue as affecting Samsung Knox 1.0 and assigns a medium CVSS score (5.5) with high integrity impact. Because the attack requires local user interaction and is not a remote-only issue, the main concern is on devices where an attacker can operate locally or gain a foothold on the device.

Vendor
Samsung
Product
CVE-2016-1920
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2017-01-27
Original CVE updated
2026-05-13
Advisory published
2017-01-27
Advisory updated
2026-05-13

Who should care

Samsung KNOX 1.0.0 administrators, mobile device management teams, enterprise Android fleet operators, and users or support teams responsible for devices that may allow local installation of certificates or VPN profiles.

Technical summary

The supplied description states that Samsung KNOX 1.0.0 uses a shared certificate on Android, which can let a local user conduct man-in-the-middle attacks by installing a certificate and running a VPN service. NVD maps the affected product to cpe:2.3:a:samsung:knox:1.0 and lists CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, indicating local access, no privileges, required user interaction, and primary integrity impact. NVD also lists CWE-284 (Improper Access Control).

Defensive priority

Medium. The issue is publicly disclosed and can undermine trust and traffic integrity on affected devices, but the supplied data does not indicate active exploitation or KEV inclusion.

Recommended defensive actions

  • Inventory devices using Samsung KNOX 1.0.0 and confirm whether they are still in service.
  • Apply vendor guidance or updates for affected Samsung KNOX deployments if available.
  • Restrict local access to managed Android devices, including physical access and opportunities to install untrusted certificates or VPN profiles.
  • Review installed certificate authorities and VPN configurations on affected devices for unexpected or user-added entries.
  • Remove or revoke untrusted certificates and profiles, and re-enroll devices if integrity of the trust store is uncertain.
  • Monitor mobile device management logs for certificate, VPN, or profile changes on affected fleets.

Evidence notes

The CVE description supplied in the corpus states that Samsung KNOX 1.0.0 uses a shared certificate on Android and that a local user can perform man-in-the-middle attacks by installing a certificate and running a VPN service. The NVD record confirms the affected CPE as Samsung Knox 1.0, gives the CVSS 3.0 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N, and identifies CWE-284. The provided reference URLs are SecurityFocus archive links cited by the CVE record.

Official resources

Publicly disclosed CVE. Published 2017-01-27 in the supplied record; no KEV date is provided in the corpus.