Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Improper access control in Samsung Routines leading to SystemUI privilege code execution

IdentifiersCVE-2025-21058CWE-284

CVE-2025-21058 is an improper access control vulnerability in Samsung's Routines automation component on Galaxy devices. It affects Routines versions prior to 4.8.7.1 on Android 15 and prior to 4.9.6.0 on Android 16. According to the provided content, the flaw is caused by insufficient authorization checks in Routines, which exposed privileged operations to local processes without properly validating caller identity or permissions. A local attacker on the device could abuse this weakness to execute arbitrary code in a SystemUI-privileged context, crossing the intended boundary between ordinary applications and system-level components.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in arbitrary code execution with SystemUI privileges. This gives an attacker significantly elevated capabilities relative to a normal application, including broad control over system UI elements and access to sensitive resources available to the SystemUI context. The vulnerability therefore represents a local privilege escalation path from a less-privileged local process or attacker-controlled local context into a privileged system component.

Mitigation

If you can’t patch tonight, do this now.

Apply Samsung security updates that include the patched Routines component. Until patching is completed, reduce exposure by limiting local attacker access to the device, restricting installation or execution of untrusted applications, and enforcing enterprise/mobile-device-management controls where available. No specific vendor-supplied workaround beyond updating is provided in the supplied content.

Remediation

Patch, then assume compromise.

Update Samsung Routines to the fixed versions identified by Samsung: version 4.8.7.1 or later on Android 15, and version 4.9.6.0 or later on Android 16. Samsung's fix reportedly adds proper access control and authorization checks to prevent untrusted local callers from invoking privileged operations.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity2

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-21058
NVD
nvd.nist.gov/vuln/detail/CVE-2025-21058
MITRE CWE · CWE-284
cwe.mitre.org
security.samsungmobile.com
security.samsungmobile.com/serviceWeb.smsb?year=2025&month=10