CVE-2025-20894

Vulnerability

Samsung Email versions prior to 6.1.97.1 contain an improper access control vulnerability that allows a physical attacker to access data across multiple user profiles. The flaw exists in the application's handling of user profile boundaries, enabling data leakage between profiles without proper authentication.

Exploitation

To exploit this vulnerability, an attacker must have physical access to a device running an affected version of Samsung Email. No special authentication or user interaction beyond that required to unlock the device is necessary. The attacker can navigate the application to access data belonging to other user profiles on the same device.

Impact

Successful exploitation results in unauthorized disclosure of data from multiple user profiles. The attacker gains access to sensitive information that is intended to be isolated between profiles, leading to a breach of confidentiality and violating user profile separation.

Mitigation

Users should update Samsung Email to version 6.1.97.1 or later, which contains the fix. The update was released in January 2025 as part of Samsung's monthly security maintenance release. No workarounds are documented in the available references [1].