CVE-2025-21050 is a vulnerability identified in Samsung Mobile devices, specifically within the Contacts application, due to improper input validation (CWE-20). This flaw exists in versions prior to the SMR (Security Maintenance Release) October 2025 Release 1 update. The vulnerability allows a local attacker to access contact data across multiple user profiles on the same device. The root cause is insufficient validation of input parameters related to user profile data access, enabling an attacker to bypass the intended user profile isolation mechanisms. The CVSS v3.1 base score is 7.1, reflecting a high severity rating. The vector string (AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N) indicates that the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N). The scope is changed (S:C), meaning the vulnerability affects resources beyond the initially vulnerable component. The impact is high on confidentiality (C:H), with no impact on integrity (I:N) or availability (A:N). Although no exploits have been reported in the wild, the vulnerability poses a significant risk of sensitive data leakage between user profiles on shared devices. This is particularly relevant for devices used in corporate or multi-user environments where sensitive contact information may be stored. The vulnerability was reserved in November 2024 and published in October 2025, indicating a recent discovery and disclosure. Samsung has not yet provided patch links, but the SMR Oct-2025 Release 1 is expected to address the issue.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive contact information across user profiles on Samsung Mobile devices. In environments where devices are shared among multiple users or where personal and corporate profiles coexist, attackers with local access could extract confidential contact data, potentially leading to privacy violations, corporate espionage, or social engineering attacks. The lack of required privileges or user interaction lowers the barrier for exploitation, increasing risk in scenarios such as lost or stolen devices, or insider threats. Although the vulnerability does not affect data integrity or device availability, the confidentiality breach alone can have severe compliance and reputational consequences, especially under GDPR regulations. Organizations relying heavily on Samsung Mobile devices for workforce mobility or BYOD policies should consider this vulnerability critical to address promptly.

The primary mitigation is to apply the Samsung SMR October 2025 Release 1 security update as soon as it becomes available, as it is expected to fix the improper input validation flaw. Until the patch is deployed, organizations should enforce strict physical and logical access controls to prevent unauthorized local access to devices, including strong device lock mechanisms and endpoint management policies. Disabling or limiting multiple user profiles on corporate devices can reduce the attack surface. Additionally, organizations should educate users about the risks of sharing devices and implement mobile device management (MDM) solutions to monitor and restrict device usage. Regular audits of device configurations and user profiles can help detect anomalies. Finally, organizations should prepare incident response plans for potential data leakage scenarios involving mobile devices.