CVE-2025-20966 is a medium-severity vulnerability classified under CWE-284 (Improper Access Control) affecting Samsung Gallery, a native photo management application on Samsung Mobile devices. The flaw exists in versions prior to 14.5.10.3 on Global Android 13, 14.5.09.3 on China Android 13, and 15.5.04.5 on Android 14. The vulnerability allows a physical attacker with access to the device to bypass access control restrictions and access data across multiple user profiles on the device. This means that if a device is shared among multiple users or profiles, an attacker can potentially view or extract sensitive images or media files belonging to other profiles without proper authorization. The CVSS v3.1 base score is 4.6, indicating a medium severity level, with the vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This means the attack requires physical access (AV:P), has low attack complexity (AC:L), does not require privileges or user interaction, and impacts confidentiality with a high impact, but does not affect integrity or availability. No known exploits are currently reported in the wild, and no official patches or updates are linked yet. The vulnerability stems from improper enforcement of access control policies within the Samsung Gallery app, allowing unauthorized cross-profile data access on affected Samsung devices running specified Android versions.

For European organizations, this vulnerability poses a significant risk especially in environments where Samsung devices are shared among multiple users or used in multi-profile configurations, such as corporate devices with separate work and personal profiles or devices used in kiosk or shared user scenarios. The unauthorized access to media files across profiles can lead to leakage of sensitive or confidential information, including personal photos, corporate images, or other media that may contain proprietary or private data. Although the attack requires physical access to the device, this risk is heightened in scenarios where devices are lost, stolen, or temporarily accessed by unauthorized personnel. The confidentiality breach could impact employee privacy, corporate data protection compliance (such as GDPR), and potentially expose organizations to reputational damage or regulatory penalties. Since the vulnerability does not affect integrity or availability, the main concern remains unauthorized data disclosure. The lack of requirement for user interaction or privileges makes the exploit straightforward once physical access is obtained, increasing the threat in environments with less stringent physical security controls.

Organizations should prioritize updating Samsung Gallery to the fixed versions (14.5.10.3 or later on Global Android 13, 14.5.09.3 or later on China Android 13, and 15.5.04.5 or later on Android 14) as soon as patches become available from Samsung. Until patches are applied, organizations should enforce strict physical security controls to prevent unauthorized physical access to devices, including secure storage, device tracking, and prompt reporting of lost or stolen devices. Additionally, disabling or limiting multi-user profiles on corporate Samsung devices can reduce the attack surface. Employing device encryption and strong lock screen authentication mechanisms will further protect data confidentiality. IT administrators should audit device configurations to ensure that Samsung Gallery is updated and consider restricting installation or usage of vulnerable app versions via mobile device management (MDM) solutions. User awareness training about the risks of physical device access and the importance of reporting device loss is also recommended. Monitoring for unusual access patterns or data exfiltration attempts related to media files can help detect exploitation attempts.