Samsung Galaxy S25 Smart Touch Call Vulnerability Allows Credential Theft
A vulnerability in the Samsung Galaxy S25 Smart Touch Call application (CVE-2025-58488) could allow remote attackers to disclose stored credentials, requiring user interaction.
A newly disclosed vulnerability in the Samsung Galaxy S25 Smart Touch Call application could allow remote attackers to access stored credentials. Tracked as CVE-2025-58488 and reported by Interrupt Labs, the flaw was demonstrated at Pwn2Own and carries a CVSS score of 5.9. The issue stems from a missing protection mechanism when handling URL parameters, enabling an attacker to bypass access controls and retrieve sensitive information.
The vulnerability resides in the Smart Touch Call application, which is part of Samsung's default software suite on the Galaxy S25. The specific flaw occurs during the processing of URL parameters, where the application fails to enforce proper protections before granting access to functionality. An attacker can exploit this by crafting a malicious link or file that, when opened by the user, triggers the disclosure of stored credentials. This could include passwords or authentication tokens saved within the app.
Exploitation requires user interaction, such as visiting a malicious webpage or opening a crafted file. This reduces the risk of widespread automated attacks but still poses a significant threat in targeted scenarios, such as phishing campaigns. The vulnerability is classified as an information disclosure issue, with the potential to lead to further compromise if the stolen credentials are reused across other services.
Samsung has released a security update to address the vulnerability. The patch is available through Samsung's security maintenance release program, with details provided in the December 2025 security bulletin. Users are strongly advised to update their devices to the latest firmware to mitigate the risk. The update can be applied via the device's system update settings.
The disclosure timeline shows that the vulnerability was reported to Samsung on November 18, 2025, and the coordinated public release occurred on March 23, 2026. This aligns with typical responsible disclosure practices, giving the vendor time to develop and deploy a fix before public details emerged.
This vulnerability highlights the ongoing risks in mobile device applications, particularly those that handle sensitive user data. As smartphones become central to personal and professional activities, flaws in pre-installed apps can have broad implications. Samsung's prompt response is commendable, but users must remain vigilant about applying updates to protect against credential theft and subsequent attacks.