CVE-2025-21063 is an improper access control vulnerability (CWE-284) identified in Samsung Voice Recorder applications running on Samsung mobile devices with Android 15 and Android 16 operating systems. The flaw exists in versions prior to 21.5.73.12 (Android 15) and 21.5.81.40 (Android 16), where the app fails to adequately restrict access to recorded audio files when the device is locked. This allows an attacker with physical access to the locked device to browse and retrieve voice recordings without needing to authenticate or interact with the device beyond accessing the lock screen. The vulnerability does not affect the integrity or availability of the recordings but compromises confidentiality by exposing potentially sensitive audio data. The CVSS 3.1 base score is 4.6, reflecting a medium severity level, with attack vector being physical (AV:P), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and high impact on confidentiality (C:H). No known exploits have been reported in the wild to date. The vulnerability was reserved in November 2024 and published in October 2025. Samsung has not yet provided official patch links, but updating to the specified fixed versions is recommended once available. This vulnerability is particularly concerning for environments where sensitive conversations or confidential information are recorded on mobile devices, as unauthorized physical access could lead to data leakage without unlocking the device.

For European organizations, this vulnerability poses a risk of sensitive information exposure through unauthorized access to voice recordings on Samsung mobile devices. Industries such as finance, legal, healthcare, and government, which may rely on voice recordings for meetings, interviews, or evidence, could suffer confidentiality breaches if devices are lost, stolen, or accessed by unauthorized personnel. The impact is primarily on confidentiality, with no direct effect on data integrity or device availability. Since exploitation requires physical access to the locked device but no authentication, the threat is significant in scenarios where devices are unattended or stolen. This could lead to regulatory compliance issues under GDPR due to unauthorized disclosure of personal or sensitive data. The medium severity score indicates moderate urgency, but organizations should prioritize patching to prevent potential data leaks and reputational damage.

1. Update the Samsung Voice Recorder app to versions 21.5.73.12 or later on Android 15 and 21.5.81.40 or later on Android 16 as soon as patches are available. 2. Enforce strict device lock policies, including strong PINs, passwords, or biometric authentication, to reduce the risk of physical access exploitation. 3. Disable or restrict lock screen access to apps and files where possible via device management policies. 4. Educate employees on the risks of leaving devices unattended or unlocked in public or insecure locations. 5. Use mobile device management (MDM) solutions to monitor and control app versions and enforce security configurations. 6. Consider encrypting sensitive voice recordings within the app or using secure containers to add an additional layer of protection. 7. Regularly audit and review device security settings and app permissions to ensure compliance with organizational security policies.