At the recent Pwn2Own Ireland 2025 competition, cybersecurity researchers Ben R. and Georgi G. from Interrupt Labs successfully demonstrated a zero-day vulnerability in the Samsung Galaxy S25, allowing them to gain complete control over the flagship Android smartphone.
Remote Surveillance Exploit
The exploit, unveiled on the final day of the event, bypassed Samsung's built-in safeguards, enabling the researchers to silently hijack the device without any user interaction. They demonstrated the ability to remotely activate the camera and track the user's real time GPS location. This effectively turned the premium smartphone into a powerful surveillance tool.
The core issue was identified as an improper input validation bug within the Galaxy S25’s software stack. By crafting malicious inputs, the attackers were able to bypass security features and execute arbitrary code remotely, securing persistent access to the device. Experts suggest these critical flaws often surface in system or multimedia libraries where rapid feature development can sometimes outpace security hardening.
Responsible Disclosure and Payout
For their sophisticated exploit chain, Ben R. and Georgi G. were awarded $50,000 and five Master of Pwn points. This exploit contributed to the event's massive total payout of $2 million across 73 unique zero days.
Pwn2Own, organized by the Zero Day Initiative, is crucial because it incentivizes ethical hackers to responsibly disclose flaws directly to vendors like Samsung. While Samsung has yet to issue an official statement, it is anticipated that a security update will be released soon to patch the vulnerability. Users are strongly advised to enable automatic updates and monitor official channels for the patch, as unmitigated exploits could expose highly sensitive personal data.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
