Information Disclosure in Samsung Galaxy S25 Smart Touch Call (CVE‑2025‑58488) Threatens Mobile Credential Security
What It Is – A medium‑severity (CVSS 5.9) information‑disclosure flaw in the Smart Touch Call app of Samsung Galaxy S25 devices. The bug stems from improper handling of URL parameters, allowing an attacker who can lure a user to a malicious page or file to retrieve stored credentials.
Exploitability – Remote exploitation is possible but requires user interaction (malicious link or file). No public exploit code has been released, but a proof‑of‑concept was demonstrated at Pwn2Own.
Affected Products – Samsung Galaxy S25 smartphones (Smart Touch Call application). Samsung has issued a security update.
TPRM Impact – Organizations that provision Samsung phones to employees, or that allow BYOD with Galaxy S25 devices, face a supply‑chain risk: credential leakage can lead to corporate account compromise, unauthorized access to internal apps, and downstream phishing attacks.
Recommended Actions –
- Verify that all Galaxy S25 devices are running Samsung’s latest security patch (December 2025 update).
- Enforce mobile device management (MDM) policies that block untrusted URLs and require app‑level whitelisting.
- Conduct a rapid inventory of any Galaxy S25 units in use and prioritize patch deployment.
- Review authentication logs for anomalous credential usage originating from mobile devices.
- Update employee security awareness training to highlight the risk of clicking unknown links on mobile phones.