CVE-2025-21035 is a medium-severity vulnerability classified under CWE-284 (Improper Access Control) affecting the Samsung Calendar application on Samsung mobile devices running Android 14 (versions prior to 12.5.06.5) and Android 15 (versions prior to 12.6.01.12). The vulnerability allows a physical attacker with direct access to the device to bypass access control mechanisms and access calendar data across multiple user profiles. This means that an attacker who can physically interact with the device can view sensitive calendar information belonging to other users configured on the same device, potentially exposing confidential scheduling, appointments, or other personal data. The CVSS 3.1 base score is 4.6, indicating a medium severity level, with the vector AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. This reflects that the attack requires physical access (AV:P), has low attack complexity (AC:L), requires no privileges (PR:N) or user interaction (UI:N), and impacts confidentiality (C:H) but not integrity or availability. No known exploits are currently reported in the wild, and no patches or updates are linked in the provided data, though presumably Samsung will release fixes in the affected versions. The vulnerability highlights a failure in enforcing proper access control boundaries between user profiles within the Samsung Calendar app, which is critical in multi-user environments or shared devices. Given the nature of the vulnerability, remote exploitation is not possible, and the threat is limited to attackers with physical device access. However, the exposure of sensitive calendar data can have privacy and operational security implications for affected users.

For European organizations, this vulnerability poses a privacy and confidentiality risk primarily in scenarios where Samsung mobile devices are shared among multiple users or used in environments with multiple user profiles, such as corporate devices with guest or secondary profiles. Exposure of calendar data could lead to leakage of sensitive meeting schedules, business plans, or personal appointments, potentially aiding social engineering or targeted attacks. While the vulnerability does not allow remote exploitation or modification of data, the confidentiality breach could undermine trust in device security and compliance with data protection regulations such as GDPR, especially if personal data of employees or clients is exposed. Organizations with mobile device management (MDM) policies that permit multiple user profiles on Samsung devices should be particularly cautious. The impact is more pronounced in sectors handling sensitive or confidential information, including government, finance, healthcare, and critical infrastructure within Europe. However, the requirement for physical access limits the threat to insider attacks or theft scenarios rather than remote cyberattacks.

To mitigate this vulnerability, European organizations should: 1) Ensure all Samsung mobile devices are updated to versions of Samsung Calendar that include the fix (12.5.06.5 or later on Android 14, 12.6.01.12 or later on Android 15) as soon as patches are available from Samsung. 2) Restrict or disable multiple user profiles on corporate Samsung devices where possible to reduce the attack surface. 3) Enforce strict physical security controls to prevent unauthorized physical access to devices, including screen locks with strong authentication and secure storage policies. 4) Use Mobile Device Management (MDM) solutions to monitor device configurations and enforce security policies that limit profile sharing and access. 5) Educate employees about the risks of sharing devices or profiles and the importance of reporting lost or stolen devices promptly. 6) Consider encrypting sensitive calendar data or using alternative secure calendar applications if patching is delayed. 7) Conduct regular audits of device usage and access logs to detect any unauthorized access attempts. These steps go beyond generic advice by focusing on controlling multi-user environments and physical access, which are key to this vulnerability.