Pwn2Own Disclosure: Samsung Galaxy S25 Samsung Members Flaw Allows Unauthenticated WebView Hijacking
A security feature bypass vulnerability in the Samsung Members app on the Galaxy S25, disclosed at Pwn2Own, lets remote attackers open a WebView with a custom URL without authentication.
A security feature bypass vulnerability in the Samsung Members application on the Samsung Galaxy S25 has been publicly disclosed as part of the Pwn2Own hacking contest. Tracked as CVE-2025-21079 and published by the Zero Day Initiative (ZDI-26-210), the flaw allows remote attackers to open a WebView with a custom URL without requiring any authentication. The vulnerability was reported to Samsung on November 18, 2025, and a coordinated advisory was released on March 16, 2026.
The specific flaw exists within the Samsung Members application, which is pre-installed on Galaxy devices. The issue stems from the exposure of a resource to the wrong control sphere, effectively bypassing the intended security feature. An attacker can leverage this vulnerability to open a WebView with a custom URL, potentially leading to further compromise of the device or user data. The CVSS score for this vulnerability is 5.4 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N), indicating a medium severity with network attack vector and low complexity.
The vulnerability was discovered and reported by researchers Ken Gannon (also known as 伊藤 剣, @yogehi) of Mobile Hacking Lab and Dimitrios Valsamaras (@Ch0pin). Their work was showcased as part of the Pwn2Own contest, which incentivizes researchers to find and responsibly disclose zero-day vulnerabilities in widely used products. The disclosure timeline shows the vulnerability was reported to Samsung on November 18, 2025, and the coordinated public release of the advisory occurred on March 16, 2026.
Samsung has issued an update to correct this vulnerability. Users are advised to ensure their Galaxy S25 devices are running the latest security patch level, which can be obtained through Samsung's security update portal. The update addresses the improper resource exposure that allowed the WebView bypass. Samsung's security maintenance release for November 2025 includes the fix, and users should verify their device is updated to at least that level.
The impact of this vulnerability is significant given the widespread adoption of Samsung Galaxy devices. The Samsung Members app is a core application that provides device support, diagnostics, and community features. An attacker exploiting this flaw could potentially launch phishing attacks, steal credentials, or deliver malicious content through the WebView interface. While the CVSS score is moderate, the ease of exploitation (no authentication required, low complexity) makes it an attractive target for attackers.
This disclosure highlights the ongoing importance of security research programs like Pwn2Own in identifying and fixing vulnerabilities before they can be exploited in the wild. The coordinated disclosure process ensures that vendors have time to develop and release patches before the vulnerability details become public. Samsung's prompt response in issuing an update demonstrates the effectiveness of this model.
Users of Samsung Galaxy S25 devices should immediately apply the latest security updates to protect against this vulnerability. Organizations managing fleets of Samsung devices should prioritize this update as part of their patch management process. The vulnerability serves as a reminder that even pre-installed system applications can contain security flaws that require diligent attention from both vendors and users.