The vulnerability stems from incorrect default permissions set in Samsung’s FactoryCamera application, allowing a local attacker to read the device’s unique identifier. The lack of proper access control enables disclosure of a privacy‑sensitive value that could be used for tracking or targeted attacks. The impact is limited to information disclosure and does not grant privilege escalation or remote code execution.

Samsung mobile devices running FactoryCamera before the SMR May‑2026 Release 1 update are affected. Any device with the legacy FactoryCamera version that has not applied the May‑2026 release is vulnerable.

The CVSS score of 6.8 indicates moderate severity, while the EPSS score of less than 1% indicates a very low but non‑zero exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. Exploitation requires local access to the device; there is no remote attack surface. The risk is therefore limited to scenarios where an attacker has physical or local software access to the device.