CVE-2025-21048 is a vulnerability classified as CWE-23 (Relative Path Traversal) affecting Samsung Mobile Devices running Knox Enterprise software versions prior to the SMR October 2025 Release 1. The vulnerability arises from improper validation of file paths, allowing a local attacker with high privileges to manipulate file system paths to access or overwrite arbitrary files outside the intended directory structure. This can lead to arbitrary code execution under the context of the Knox Enterprise service, which typically has elevated privileges on the device. Exploitation requires local access with high privileges, but no user interaction is needed, making it a potent vector for privilege escalation or persistence on compromised devices. The vulnerability impacts confidentiality, integrity, and availability by enabling attackers to execute malicious code, potentially compromising sensitive enterprise data and device functionality. The CVSS v3.1 score of 6.7 reflects a medium severity, balancing the high impact with the requirement for local privileged access. No public exploits have been reported yet, but the vulnerability is officially published and should be addressed promptly. Samsung's Knox platform is widely used in enterprise environments for device management and security, increasing the potential impact of this vulnerability in corporate contexts.

The vulnerability allows local attackers with high privileges to execute arbitrary code, which can lead to full compromise of the affected device's Knox Enterprise environment. This can result in unauthorized access to sensitive enterprise data, disruption of device management functions, and potential lateral movement within corporate networks. The ability to execute arbitrary code undermines the integrity and confidentiality of the device and its managed data. Organizations relying on Samsung Knox for secure device management face risks of data breaches, espionage, and operational disruption. Although exploitation requires local privileged access, the vulnerability could be leveraged by insiders or attackers who have already gained partial access to escalate privileges and maintain persistence. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially given the widespread use of Samsung devices in enterprise settings worldwide.

Organizations should apply the SMR October 2025 Release 1 update from Samsung as soon as it becomes available to remediate this vulnerability. Until patches are deployed, restrict local privileged access on Samsung devices to trusted personnel only and monitor for unusual activity indicative of privilege escalation attempts. Employ endpoint detection and response (EDR) solutions capable of detecting suspicious file system manipulations and code execution behaviors. Regularly audit device configurations and Knox Enterprise policies to ensure least privilege principles are enforced. Additionally, implement strong physical security controls to prevent unauthorized local access to devices. Educate users and administrators about the risks of local privilege misuse and maintain up-to-date inventory of affected devices to prioritize patch management effectively.