Samsung Galaxy S25 flaws exposed credentials and enabled script execution
Samsung disclosed two Galaxy S25 vulnerabilities reported through Pwn2Own that could be triggered remotely with user interaction. One flaw, CVE-2025-58486 (ZDI-26-224 / ZDI-CAN-28456), affects the Samsung Account application and allows arbitrary script execution in the current WebView through a cross-site scripting issue caused by improper validation of user-supplied data. The bug was assigned a CVSS 6.3 score and was credited to Ken Gannon, 伊藤 剣 (@yogehi) of Mobile Hacking Lab, and Dimitrios Valsamaras (@Ch0pin).
A second issue, CVE-2025-58488 (ZDI-26-223 / ZDI-CAN-28331), affects the Smart Touch Call application and can disclose sensitive information, including stored credentials, because of insufficient protection around URL-parameter-driven functionality. That flaw received a CVSS 5.9 score and was credited to Interrupt Labs. In both cases, exploitation requires a victim to visit a malicious page or open a malicious file, and Samsung has released updates to remediate the vulnerabilities.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
ZDI publicly discloses two Samsung Galaxy S25 vulnerabilities
Zero Day Initiative publicly disclosed ZDI-26-223 and ZDI-26-224, covering CVE-2025-58488 and CVE-2025-58486 respectively. The disclosures described a Smart Touch Call credential exposure issue and a Samsung Account XSS flaw, both originally disclosed through Pwn2Own.
Samsung releases updates for two Galaxy S25 vulnerabilities
Samsung released fixes for both disclosed Galaxy S25 issues: the Smart Touch Call information disclosure flaw and the Samsung Account cross-site scripting flaw. The advisories state updates were available by the time of public disclosure.
Researchers report Samsung Account open redirect flaw to Samsung
A Samsung Galaxy S25 open redirect security bypass in the Samsung Account application was reported to Samsung. Tracked as CVE-2025-58487 and ZDI-26-225, the flaw could let unauthenticated attackers redirect users to malicious content and use that behavior to launch arbitrary exported Android activities.
Researchers report Samsung Account XSS flaw to Samsung
Ken Gannon, 伊藤 剣 (@yogehi) of Mobile Hacking Lab, and Dimitrios Valsamaras (@Ch0pin) reported a Samsung Galaxy S25 cross-site scripting flaw in the Samsung Account application to Samsung. The bug, later tracked as CVE-2025-58486 and ZDI-26-224, allowed arbitrary script execution in the current WebView context with user interaction.
Interrupt Labs reports Samsung Smart Touch Call info disclosure flaw
Interrupt Labs reported a Samsung Galaxy S25 vulnerability in the Smart Touch Call application to Samsung. The issue, later tracked as CVE-2025-58488 and ZDI-26-223, could expose stored credentials through improper protection of URL-parameter-driven functionality.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ZDI-26-223 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-224 | Zero Day Initiative
zerodayinitiative.com
Open sourceZDI-26-225 | Zero Day Initiative
zerodayinitiative.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samsung Galaxy flaws exposed remote image RCE and SystemUI privilege escalation
Samsung disclosed multiple vulnerabilities affecting Galaxy devices, including **remote code execution** flaws in the proprietary Quram image codec and a separate **improper access control** bug in the Routines automation feature. **CVE-2025-21042** and **CVE-2025-21043** are out-of-bounds write issues in `libimagecodec.quram.so` that can be triggered by specially crafted images delivered through MMS, email attachments, messaging apps, or web content, potentially with little or no user interaction. Samsung said **CVE-2025-21042** was fixed in the **April 2025 Security Maintenance Release**, while **CVE-2025-21043** was addressed in the **September 2025 SMR**. The disclosures revive longstanding concerns around Samsung’s proprietary image parsing stack, which Google Project Zero previously showed could be exploited through malformed Qmage images in a **zero-click MMS** chain that achieved code execution on a Galaxy Note 10+. Samsung also patched **CVE-2025-21058**, which allowed a local attacker on Android 15 and 16 devices to execute arbitrary code with **SystemUI privileges** via Galaxy Routines before versions **4.8.7.1** and **4.9.6.0**. Separately, Google fixed Android framework flaw **CVE-2025-32322** in the September 2025 Android Security Bulletin after it was found to let a malicious app bypass the MediaProjection consent dialog and silently capture screen content on Android 13 and 14.
Jun 12, 2026
Samsung patches three Exynos NPU driver flaws enabling Android privilege escalation
Samsung has patched three high-severity vulnerabilities in the Exynos NPU driver—`CVE-2025-23099`, `CVE-2025-23103`, and `CVE-2025-23107`—that could allow local privilege escalation on affected Galaxy devices. The flaws impact Samsung Galaxy S24+ devices running Android 14 and systems based on Exynos 1480 and 2400 platforms, and each issue is reachable by a malicious application running in the `untrusted_app` SELinux context with low privileges and no user interaction. Samsung assigned a CVSS v3.1 score of 7.8 to the bugs and released fixes through Product Security Updates in early June. The vulnerabilities stem from missing length checks in multiple NPU driver paths, leading to out-of-bounds writes in kernel memory. `CVE-2025-23099` involves queue preparation logic that can reuse smaller prior allocations while trusting larger attacker-controlled counts, `CVE-2025-23103` arises from an unbounded loop counter in `npu_queue_update` that can exceed the allocated `queue_list` size, and `CVE-2025-23107` affects `fill_vs4l_buffer`, which writes kernel-side buffer metadata into an undersized user-supplied structure. STAR Labs SG credited Billy Jheng Bing-Jhong, Muhammad Alifa Ramdhan, and Pan Zhenpeng with reporting the issues.
May 24, 2026
Qualcomm and Samsung patched critical baseband and firmware flaws in mobile chipsets
Qualcomm disclosed and patched several high-severity chipset vulnerabilities affecting Snapdragon, FastConnect, modem, automotive, and IoT products, including **`CVE-2025-27034`**, **`CVE-2025-21483`**, **`CVE-2025-21427`**, **`CVE-2025-27043`**, and **`CVE-2025-21450`**. The flaws span modem, video, RTP, and GPS/GNSS firmware and include remote code execution, memory corruption, buffer over-read, and man-in-the-middle risks. Reported attack paths include malformed PLMN roaming responses, crafted RTP and video-stream payloads, and unauthenticated interception of GNSS assistance data delivered over HTTP. Several issues require no user interaction and affect low-level firmware, raising the risk of bypassing operating system protections; one Qualcomm modem flaw, `CVE-2025-27034`, was reported as exploited in the wild. Qualcomm addressed the issues through July and September 2025 security updates, with exposure likely to persist where OEM firmware rollout lags. Samsung also issued fixes for multiple **Exynos baseband** vulnerabilities, including **`CVE-2024-55568`**, **`CVE-2025-26781`**, **`CVE-2025-26782`**, and **`CVE-2025-54329`**, affecting smartphones, wearables, and modem products. The bugs include NULL pointer dereference, out-of-bounds operations in RLC AM packet handling, and a heap overflow in the NAS signaling layer that can be triggered by malformed LTE or 5G traffic, Mobility Management packets, or multi-payload NAS messages such as SMS. Successful exploitation can crash or hang the modem, reboot devices, or cut off cellular service, and some flaws may be reachable through rogue base stations or compromised network infrastructure before higher-layer authentication or encryption takes effect. Samsung shipped patches in its October and November 2025 security updates, continuing a pattern of baseband security issues previously highlighted in Exynos modem research.
Jun 12, 2026