Credit: Samsung
This is a non-memory corrupting RCE. It required no user interaction and was possible by any attacker in a position to perform MITM attack. No authentication at all. Vulnerable devices include basically every Samsung device made from the past ~2.5 years, including current flagships. This was discovered in 2014, but gave the vendor lots of time to fix it due to the high number of affected users and severity. It was discovered and publicly disclosed by Ryan Welton at BlackHat London, 2015.
This nomination, however, goes to Samsung for backdooring their entire user population with a remotely exploitable, highly privileged, logic vulnerability that yields remote code execution. Bra-VO!