Ethical Hacking News
U.S. federal agencies have been ordered by CISA to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy the notorious LandFall spyware on devices running WhatsApp. The vulnerability, tracked as CVE-2025-21042, allows remote attackers to gain code execution on devices running Android 13 and later.
CISA has issued an urgent warning about a critical Samsung vulnerability (CVE-2025-21042) that has been exploited in zero-day attacks. The vulnerability, discovered in Samsung's libimagecodec.quram.so library, allows remote attackers to gain code execution on devices running Android 13 and later. Attackers have been exploiting this flaw since at least July 2024 to deploy the LandFall spyware via malicious DNG images sent over WhatsApp. The spyware can access browsing history, record calls and audio, track location, access photos and contacts, and more. Targets include Samsung flagship models like Galaxy S22, S23, and S24 series devices, as well as the Z Fold 4 and Z Flip 4. CISA has ordered federal agencies to secure their Samsung devices against ongoing attacks within three weeks, until December 1.
CISA (Cybersecurity and Infrastructure Security Agency) has issued an urgent warning to U.S. federal agencies to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy the notorious LandFall spyware on devices running WhatsApp.
Tracked as CVE-2025-21042, this out-of-bounds write security flaw was discovered in Samsung's libimagecodec.quram.so library, allowing remote attackers to gain code execution on devices running Android 13 and later. The vulnerability was initially reported by Meta and WhatsApp Security Teams in April, but it took Palo Alto Networks' Unit 42 until last week to reveal that attackers had been exploiting it since at least July 2024 to deploy previously unknown LandFall spyware via malicious DNG images sent over WhatsApp.
The spyware is capable of accessing the victim's browsing history, recording calls and audio, tracking their location, as well as accessing photos, contacts, SMS, call logs, and files. According to Unit 42's analysis, it targets a wide range of Samsung flagship models, including the Galaxy S22, S23, and S24 series devices, as well as the Z Fold 4 and Z Flip 4.
Data from VirusTotal samples examined by Unit 42 researchers shows potential targets in Iraq, Iran, Turkey, and Morocco. The attackers also used C2 domain infrastructure and registration patterns that share similarities with those seen in Stealth Falcon operations, which originated from the United Arab Emirates.
Another clue is the use of the "Bridge Head" name for the malware loader component, a naming convention commonly seen in commercial spyware developed by NSO Group, Variston, Cytrox, and Quadream. However, LandFall could not be confidently linked to any known spyware vendors or threat groups.
CISA has now added the CVE-2025-21042 flaw to its Known Exploited Vulnerabilities catalog, which lists security bugs flagged as actively exploited in attacks. The agency ordered Federal Civilian Executive Branch (FCEB) agencies to secure their Samsung devices against ongoing attacks within three weeks, until December 1, as mandated by the Binding Operational Directive (BOD) 22-01.
While this binding operational directive only applies to federal agencies, CISA has urged all organizations to prioritize patching this security flaw as soon as possible. "This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise," it warned. "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable."
In September, Samsung released security updates to patch another libimagecodec.quram.so flaw (CVE-2025-21043) that was exploited in zero-day attacks targeting its Android devices. It is essential for all organizations to take immediate action to secure their devices against this critical vulnerability.
Related Information:
https://www.ethicalhackingnews.com/articles/CISA-Urges-Immediate-Patching-of-Samsung-Zero-Day-Vulnerability-Exploited-by-LandFall-Spyware-ehn.shtml
https://www.bleepingcomputer.com/news/security/cisa-orders-feds-to-patch-samsung-zero-day-used-in-spyware-attacks/
https://nvd.nist.gov/vuln/detail/CVE-2025-21042
https://www.cvedetails.com/cve/CVE-2025-21042/
https://nvd.nist.gov/vuln/detail/CVE-2025-21043
https://www.cvedetails.com/cve/CVE-2025-21043/
Published: Mon Nov 10 14:07:48 2025 by llama3.2 3B Q4_K_M
