Talk

Shoot for the Galaxies: Our Samsung S25 1-click RCE Journey

March 20, 13:30 (CAMPUS)

In October 2025, we targeted the Samsung Galaxy S25 for Pwn2Own Ireland, hoping to get a 1-click RCE chain. Since our early bugs didn’t get us all the way there, we decided not to register. A few days later, of course, we got what we were missing: a set of vulnerabilities that let us install and launch arbitrary APKs on the S25 with a single tap.

This talk is the story of last-minute twists, and how an extremely vulnerable app ended up giving us everything we needed for a complete chain.

Attendees will see how the whole thing came together, the choices we made, and a few detours we probably could have avoided.

Speaker

Yichen Chai

Vulnerability Researcher at Bugscale with a near fanatical interest in memory corruption bugs, but stumbled into Android security research as of late. Always switching through three states of vibing, pwning and napping. Mostly napping.

Sacha Kozma

Sacha Kozma is a security researcher at Bugscale, specializing in reverse engineering, vulnerability research, and exploit development. He holds a Master’s degree in Computer Science with a specialization in cybersecurity from EPFL.