CVE-2023-21458 in Smart Phone
Summary
by MITRE • 03/16/2023
Improper privilege management vulnerability in PhoneStatusBarPolicy in System UI prior to SMR Mar-2023 Release 1 allows attacker to turn off Do not disturb via unprotected intent.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 09/16/2025
The vulnerability identified as CVE-2023-21458 represents a critical improper privilege management flaw within the PhoneStatusBarPolicy component of the System UI module in Android systems. This weakness exists in versions prior to the SMR Mar-2023 Release 1 and specifically affects the handling of system-level permissions related to the Do Not Disturb feature. The vulnerability stems from inadequate validation of intent permissions, creating an exploitable pathway for unauthorized modification of critical system behaviors.
The technical implementation of this flaw occurs within the PhoneStatusBarPolicy class which manages status bar notifications and system-level alerts. When an attacker crafts and broadcasts a specially constructed intent that targets the Do Not Disturb functionality, the system fails to properly verify whether the calling application possesses the necessary privileges to modify this critical setting. This permission bypass allows malicious actors to disable the Do Not Disturb mode without proper authentication or authorization, effectively removing an important privacy and user experience control from the device.
The operational impact of this vulnerability extends beyond simple notification management, as it compromises the fundamental security model of Android's notification system. Attackers can exploit this weakness to disrupt user communication preferences, potentially masking malicious activities or preventing users from receiving important alerts during critical periods. The vulnerability directly affects user privacy and system integrity, as it allows unauthorized modification of system-level settings that should require elevated privileges or user confirmation. This flaw can be particularly dangerous in enterprise environments or scenarios where users rely on Do Not Disturb modes for security or compliance reasons.
From a cybersecurity perspective, this vulnerability maps to CWE-284 which specifically addresses improper access control and privilege management issues. The ATT&CK framework categorizes this as a privilege escalation technique under T1068, where adversaries exploit weak permission controls to gain unauthorized system access. The vulnerability demonstrates how insufficient input validation and permission checking can create persistent security weaknesses in system-level components. Organizations should implement immediate mitigations including patching to the SMR Mar-2023 Release 1, reviewing application permissions, and monitoring for suspicious intent broadcasts. Additionally, security teams should consider implementing network-level controls to detect and block unauthorized intent traffic, while users should avoid installing untrusted applications that might exploit this weakness to compromise their device's notification settings and overall security posture.