ZDI 2026-03-23

ZDI-26-225: (Pwn2Own) Samsung Galaxy S25 Samsung Account Open Redirect Security Bypass Vulnerability

CVE-2025-58487

Machine-generated analysis · WAYSCloud LLM

The vulnerability involves a Samsung Account open redirect that enables security bypass on Samsung Galaxy S25 devices.

Context

The affected product is the Samsung Galaxy S25, specifically related to the Samsung Account functionality. The vulnerability is an open redirect that allows remote attackers to bypass security measures without requiring authentication. The ZDI assigned a CVSS score of 5.6, indicating a medium severity impact. Worth noting that the issue was identified during Pwn2Own, suggesting it was part of a structured security competition.

Operator considerations

Check: whether Samsung Galaxy S25 devices are configured to use Samsung Account services with default settings.

From Zero Day Initiative ↗

This vulnerability allows remote attackers to bypass security on affected installations of Samsung Galaxy S25. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.6. The following CVEs are assigned: CVE-2025-58487.

Read the full advisory on ZDI →