ZDI 2026-03-23

ZDI-26-224: (Pwn2Own) Samsung Galaxy S25 Samsung Account Cross-Site Scripting Remote Code Execution Vulnerability

CVE-2025-58486

Machine-generated analysis · WAYSCloud LLM

The vulnerability affects Samsung Galaxy S25 devices and involves a cross-site scripting issue that can lead to remote code execution without authentication.

Context

The affected product is the Samsung Galaxy S25, specifically related to the Samsung Account functionality. The advisory describes a cross-site scripting vulnerability that enables remote attackers to execute arbitrary scripts. The ZDI assigned a CVSS score of 6.3, indicating a medium severity rating. Worth noting is that no authentication is required to exploit the vulnerability.

Operator considerations

Check: whether Samsung Galaxy S25 devices are in use and have Samsung Account features enabled.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to execute arbitrary script on affected installations of Samsung Galaxy S25. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.3. The following CVEs are assigned: CVE-2025-58486.

Read the full advisory on ZDI →