CISA has placed a critical Samsung mobile vulnerability — CVE-2025-21042 — into its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation, and has set an accelerated remediation clock for federal agencies while strongly urging all organizations to patch or mitigate vulnerable Samsung devices immediately.
Background: what CISA’s KEV action means and why it matters
Binding Operational Directive (BOD) 22-01 created the
Known Exploited Vulnerabilities (KEV) catalog to convert observed exploitation into operational priorities for the Federal Civilian Executive Branch (FCEB). When CISA adds a CVE to KEV it does two things at once: it highlights that the vulnerability is being exploited in the wild and it triggers a
compliance-driven remediation timeline for federal agencies; private-sector organizations receive a strong, practical signal to make remediation a top priority. CISA’s KEV entries typically carry short remediation windows (often about three weeks for recently disclosed CVEs, subject to CISA’s case-by-case adjustments). For CVE-2025-21042 the agency’s KEV action created an immediate operational urgency for federal agencies and a clear call-to-action for enterprise IT and security teams. Multiple independent reports indicate federal remediation was expected by December 1, 2025, following CISA’s November 10, 2025 catalog addition.
Overview of CVE-2025-21042
The technical summary
- Vulnerability type: Out-of-bounds write (CWE-787) in Samsung’s image-processing library libimagecodec.quram.so.
- Impact: Remote code execution (RCE) when a malformed image triggers the library, enabling an attacker to write past memory bounds and hijack execution flow.
- Affected component: A third-party/closed-source image codec used by Samsung devices to parse raw image formats (not an app-level bug but a system image-library flaw).
NVD’s CVE record describes CVE-2025-21042 as an out‑of‑bounds write in libimagecodec.quram.so prior to the Samsung SMR Apr‑2025 Release 1 that can allow remote code execution. The initial vendor remediation is contained in Samsung’s April 2025 Security Maintenance Release (SMR).
Why an image library bug is especially dangerous
Image-processing libraries are privileged plumbing: messaging apps, gallery viewers, and OS-level previewers call into the same codec to render or thumbnail user-supplied images. A vulnerability in a shared codec can be exploited through many apps and delivery vectors (messaging, email, web), which expands the attack surface beyond any single third-party app. The result can be
zero‑click or
near‑zero‑click compromise when an image is processed automatically (e.g., for preview) without explicit user interaction.
The LANDFALL campaign: exploitation in the wild
What researchers found
Palo Alto Networks’ Unit 42 identified a commercial-grade Android spyware family they named
LANDFALL that used CVE-2025-21042 to compromise Samsung Galaxy devices. Unit 42’s analysis shows attackers delivered
malformed DNG image files that had an embedded ZIP archive appended to the image. When the vulnerable Samsung codec parsed the DNG, the exploit triggered, the ZIP contents (shared object libraries) were extracted in-memory, and two primary modules were executed: a loader (b.so) and a SELinux policy manipulator (l.so). The loader establishes a backdoor and the SELinux manipulator elevates privileges and persistence. Unit 42’s timeline indicates LANDFALL samples date back to mid‑2024 (first observed uploads to public repositories in July 2024), and Samsung released a vendor patch in April 2025. The campaign appears targeted and regional: telemetry and submission metadata point to potential victims in Iraq, Iran, Turkey and Morocco.
Zero‑click delivery via messaging apps
Although no evidence shows a separate WhatsApp vulnerability was needed for the Android campaign, the weaponized images were named like WhatsApp attachments and likely were
delivered via messaging apps that automatically generate previews. That preview behavior is enough to trigger the vulnerable codec and run the payload without the recipient tapping the file — the classic zero‑click vector seen in other high‑profile mobile spyware operations.
Confirmed facts and cross‑referencing
- Unit 42’s technical disclosure and analysis of LANDFALL link the attack chain to CVE-2025-21042 and detail the embedded ZIP / .so extraction mechanism.
- The National Vulnerability Database (NVD) entry corroborates the vulnerability class (out‑of‑bounds write in libimagecodec.quram.so) and lists the vendor-supplied patch location.
- Multiple independent security outlets and incident reports — including The Hacker News and SC Media — reported that CISA added CVE-2025-21042 to the KEV catalog on Nov 10, 2025 and that federal remediation was due December 1, 2025.
- Internal forum and operations data included with this brief also reference the KEV addition and put the issue into the operational context security teams use for remediation planning.
Where public information is incomplete — for example, final attribution of the operators behind LANDFALL — researchers note
signals consistent with private-sector offensive actors (PSOAs) and regionally-focused surveillance operations, but firm attribution remains unconfirmed. Unit 42 tracks the cluster as CL‑UNK‑1054 and explicitly avoids definitive actor naming without additional evidence.
Who and what is affected
Device families and OS versions (observed / reported)
- Samsung Galaxy S22, S23, S24 series (flagship phones)
- Foldable models: Z Fold4, Z Flip4
- Android versions reportedly vulnerable in observed samples: Android 13, 14 and 15 (One UI variants prior to the April 2025 SMR patch).
Scope note
The vulnerability resides in Samsung’s image codec; any app that relies on that codec to parse untrusted images is a possible vector. That includes messaging apps, web views, email clients, and even OS preview services — meaning the exposure is not limited to WhatsApp or one specific app. The real-world exploit samples give weight to a targeted campaign rather than opportunistic mass scanning, but the underlying class of bug is widely exploitable if left unpatched.
Immediate, practical steps for organizations and users
Security teams must treat this as an urgent, multi‑track remediation and detection exercise. The recommendations below are prioritized and sequenced.
1. Inventory and prioritize (first 24–72 hours)
- Identify all Samsung mobile devices enrolled in corporate Mobile Device Management (MDM) or otherwise allowed on corporate networks.
- Flag unmanaged BYOD devices used for privileged access (admin accounts, corporate email, VPN) for immediate engagement or restricted access until they’re patched.
- Map applications and services that process user-supplied images server-side or client-side (messaging, email gateways, webmail previewers).
2. Patch and remediate (apply vendor fixes)
- Apply Samsung’s SMR Apr‑2025 Release 1 or later to all affected devices as soon as the patch is available for a given model/region. Samsung published patches in April 2025; devices that have not received that SMR remain vulnerable.
- If patching is delayed due to carrier or regional staging, implement compensating controls (see below) until the device can be updated.
3. Compensating controls and hardening
- Disable automatic media preview in enterprise-managed messaging apps where possible.
- Restrict or block receipt of untrusted image types (DNG/raw formats) at perimeter gateways and through MDM-managed app policies.
- Enforce strict app update policies for messaging apps (WhatsApp, Signal, Telegram) and prefer managed clients with controls over attachments.
- Segregate unpatched devices from critical corporate resources; block VPN or admin access from devices that cannot be updated.
4. Detection, hunting and incident response
- Hunt for the LANDFALL artifacts described in Unit 42: look for processes loading .so modules out of unusual paths, unexpected SELinux policy changes, and outbound connections to suspicious C2 infrastructure. Unit 42 published sample hashes and filenames for the DNGs they discovered; use those indicators in network and EDR telemetry.
- Monitor MDM logs and behavior telemetry for signs of privilege escalation, new services, or abnormal data exfiltration patterns from Samsung devices.
- If compromise is suspected, isolate the device, preserve forensic images, and escalate to incident response teams with mobile forensics capability.
5. Communicate and document
- Issue an internal security bulletin to employees with Samsung devices: patch now, avoid opening unexpected image attachments (even if they appear to be from known contacts), and report suspicious device behavior.
- For federal agencies and contractors: document remediation steps and timelines per BOD 22‑01/KEV compliance requirements.
Detection specifics and useful hunt queries
Practical detection tasks for security operations teams:
- Search mobile EDR / MDM logs for processes that load shared object libraries (files named b.so or l.so in Unit 42 artifacts) or sudden SELinux policy reloads.
- Network telemetry: look for unusual outbound HTTPS connections initiated by device processes that correlate with the time of an image receipt.
- Forensic triage: if you can capture a device snapshot, check for suspicious files extracted from image payloads and for installed persistence mechanisms (new services, modified init scripts, SELinux policy changes).
- Use hashes and filenames Unit 42 published (SHA256 list of DNG samples) as quick indicators in hash repositories and VirusTotal.
Flag any findings to incident response early — sophisticated spyware often attempts to hide or delete traces.
Strategic analysis: strengths, weaknesses, and systemic risks
Strengths of the KEV decision
- Operational urgency: KEV listing forced a short remediation window for federal entities and created a high-priority signal for enterprise ops teams, compressing the attacker’s exploitation window.
- Visibility and coordination: Public reporting by Unit 42 and subsequent KEV action improved situational awareness and gave defenders actionable indicators and vendor patch references.
Notable security gaps and risks
- Patch fragmentation on Android: Even with an April 2025 SMR, patch distribution for Samsung devices is staggered by model, carrier and region — many devices remain unpatched for months or longer, widening the exposure window. Attackers exploit that fragmentation for targeted campaigns.
- Zero‑click risk: The exploit chain demonstrates how previewing behavior in messaging clients creates a potent attack surface that’s difficult to eliminate without degrading user experience. Enterprise controls to disable previews are blunt instruments and may not be feasible for all users.
- Commercial spyware market: LANDFALL is described as commercial-grade; when PSOAs or similar vendors create turnkey exploit-and-deploy stacks, even non-state operators can access sophisticated capabilities. The presence of such tooling increases the risk to journalists, activists, diplomats, and other high-value targets.
Attribution and geopolitics — handled cautiously
Researchers observed tradecraft and infrastructure patterns consistent with private-sector offensive actors operating in the Middle East, but
definitive attribution remains unconfirmed. Public sources and Unit 42 recommend caution in attribution until forensic trails and legal authorities provide clearer evidence. This ambiguity complicates response because state or PSOA involvement changes threat models, legal options and diplomatic remedies.
Longer‑term lessons for security teams
- Treat shared system libraries (image codecs, media parsers) as high-risk, high-impact components; they deserve prioritized security review and targeted hardening (sandboxing, additional input validation, memory-safety mitigations).
- Harden preview pipelines in messaging and mail gateways: avoid automatic full decode of raw image formats; apply input sanitization, format filtering, and pre-processing in isolated sandboxes.
- Invest in MDM/EDR telemetry for mobile endpoints: rapidly detecting anomalous process loads or unusual SELinux policy changes shortens mean time to detection.
What we verified — and what remains uncertain
Confirmed:
- CVE-2025-21042 is an out‑of‑bounds write in Samsung’s libimagecodec.quram.so that can lead to RCE and was patched in Samsung’s April 2025 SMR. This is corroborated by NVD and Samsung vendor advisories.
- Unit 42’s LANDFALL research links real-world malicious DNG samples to CVE-2025-21042 and documents the malware components and delivery mechanics.
- CISA added CVE-2025-21042 to the KEV catalog on Nov 10, 2025, creating an accelerated remediation requirement for federal agencies and a strong advisory for all organizations to patch or mitigate. Multiple independent reporting outlets reflect this sequence and the December 1, 2025 remediation target.
Unverified / cautionary:
- Definitive actor attribution for LANDFALL is not public and remains unconfirmed; some indicators point to PSOA-style tooling in the region but those signals are circumstantial and should be treated as provisional.
Conclusion
CISA’s KEV listing of
CVE‑2025‑21042 forces a clear operational choice: if your organization — especially federal civilian agencies, contractors, and enterprises with managed mobile endpoints — runs Samsung devices that haven’t received SMR Apr‑2025 or later, treat the exposure as urgent. The LANDFALL campaign shows how a single flawed image codec can be weaponized into a stealthy, zero‑click spyware delivery mechanism that grants comprehensive surveillance capabilities. Patch where possible, apply the compensating controls described above where patching is delayed, hunt for artifacts with the indicators published by Unit 42, and document remediation for compliance where BOD 22‑01 applies. The public record compiled by security researchers and the KEV action together form a clear operational playbook: inventory, patch, isolate, hunt, and harden. The practical risks exposed by CVE‑2025‑21042 are a timely reminder that mobile endpoints are crown-jewel assets for attackers — and that mobile vulnerability management must be as disciplined and prioritized as server and desktop patch programs.
Source: CISA
CISA Adds One Known Exploited Vulnerability to Catalog | CISA