CVE-2025-20910 – This vulnerability allows local attackers to ac... (How to Fix)

Q: What is the severity of CVE-2025-20910?

CVE-2025-20910 has a CVSS score of 6.2 (MEDIUM). This vulnerability allows local attackers to access Galaxy Watch Gallery data due to incorrect default permissions. It affects Samsung Galaxy Watch devices running vulnerable versions of the Galaxy Watch Gallery application. Attackers must have local access to the device to exploit this.

📋 TL;DR

This vulnerability allows local attackers to access Galaxy Watch Gallery data due to incorrect default permissions. It affects Samsung Galaxy Watch devices running vulnerable versions of the Galaxy Watch Gallery application. Attackers must have local access to the device to exploit this.

💻 Affected Systems

Products:

Samsung Galaxy Watch devices

Versions: Galaxy Watch Gallery prior to SMR Mar-2025 Release 1

Operating Systems: Wear OS (Samsung variant)

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices with vulnerable Galaxy Watch Gallery versions; requires local access to exploit.

📦 What is this software?

Wear Os by Samsung

View all CVEs affecting Wear Os →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attackers could access sensitive user data stored in Galaxy Watch Gallery, potentially including personal photos, watch faces, or configuration data.

🟠

Likely Case

Malicious apps or users with physical access could read gallery data they shouldn't have permission to access.

🟢

If Mitigated

With proper access controls and updated software, the vulnerability is eliminated and data remains protected.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring physical or app-level access to the device.

🏢 Internal Only: MEDIUM - Local attackers or malicious apps could exploit this, but it requires some level of device access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local access to the device, either through physical access or a malicious application.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: SMR Mar-2025 Release 1 or later

Vendor Advisory: https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=03

Restart Required: Yes

Instructions:

1. Open Galaxy Wearable app on paired phone. 2. Go to Watch settings > About watch > Software update. 3. Check for and install available updates. 4. Restart watch after update completes.

🔧 Temporary Workarounds

Disable Galaxy Watch Gallery

all

Temporarily disable the vulnerable application until patched

Restrict physical access

all

Ensure watch is physically secured and not accessible to untrusted individuals

🧯 If You Can't Patch

Limit physical access to the device
Avoid installing untrusted applications on the watch

🔍 How to Verify

Check if Vulnerable:

Check Galaxy Watch Gallery version in Watch settings > Apps > Galaxy Watch Gallery > App info

Check Version:

Not applicable - check through watch settings interface

Verify Fix Applied:

Verify software version is SMR Mar-2025 Release 1 or later in Watch settings > About watch > Software info

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to Galaxy Watch Gallery data
Permission violation logs

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

Not applicable for typical SIEM monitoring of wearable devices

📊 Metadata

CVE ID: CVE-2025-20910

CVSS v3 Score: 6.2 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-276

EPSS Score: 0.03% exploit probability (9th percentile)

Published: March 6, 2025

Last Updated: February 2, 2026

🔗 References

https://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=03 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20910, you might also want to check these: