Pwn2Own 2025: Samsung Galaxy S25 XSS Flaw in Samsung Account App Allows Remote Code Execution
A cross-site scripting vulnerability in the Samsung Account app on the Galaxy S25, discovered at Pwn2Own, could let attackers execute arbitrary code via a malicious WebView.
A cross-site scripting (XSS) vulnerability in the Samsung Account application on the Samsung Galaxy S25, discovered during the Pwn2Own hacking contest, could allow remote attackers to execute arbitrary script in the context of the device's WebView. The flaw, tracked as CVE-2025-58486, was reported by Ken Gannon and Dimitrios Valsamaras and disclosed by the Zero Day Initiative (ZDI) on March 23, 2026.
The vulnerability resides in the Samsung Account app's failure to properly validate user-supplied data, enabling an attacker to inject arbitrary script. With a CVSS score of 6.3, the bug requires user interaction—such as clicking a malicious link—but does not require authentication. Once triggered, the attacker can execute script within the WebView, potentially accessing sensitive account data or performing actions on behalf of the user.
The Galaxy S25, Samsung's flagship smartphone released in early 2025, is widely deployed across consumer and enterprise markets. While the vulnerability is not known to be actively exploited in the wild, its discovery at Pwn2Own—a contest that awards researchers for finding zero-day flaws—underscores the persistent security challenges in mobile ecosystems. The ZDI advisory notes that the flaw was reported to Samsung on November 20, 2025, and the coordinated disclosure occurred on March 23, 2026.
Samsung has released a security update to address CVE-2025-58486, available through its Samsung Mobile Security portal. Users are strongly advised to apply the update immediately to mitigate the risk of remote code execution. The patch is part of Samsung's monthly security maintenance release, which typically includes fixes for multiple vulnerabilities.
The disclosure follows a broader trend of mobile vulnerabilities uncovered at Pwn2Own events, which have increasingly targeted smartphone components like account management apps and WebView implementations. The Samsung Account app is a critical component that handles authentication and synchronization across Samsung devices, making it a high-value target for attackers seeking to compromise user accounts.
Ken Gannon and Dimitrios Valsamaras, the researchers credited with discovering the flaw, are known for their work on mobile security. Gannon, a researcher at Mobile Hacking Lab, has previously disclosed vulnerabilities in Samsung and other Android devices. The coordinated disclosure process allowed Samsung time to develop and deploy a fix before public details were released.
This vulnerability highlights the importance of rigorous input validation in mobile applications, particularly those that handle sensitive user data. As smartphones continue to serve as primary computing devices for billions of users, flaws like CVE-2025-58486 serve as a reminder that even flagship devices require constant security updates to stay ahead of attackers.