CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks

Samsung vulnerability zero-day exploit CVE-2025-21042 CISA KEV catalog mobile device security LANDFALL spyware
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
November 12, 2025 2 min read
CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks

TL;DR

  • CISA has identified a critical zero-day vulnerability, CVE-2025-21042, actively exploited in Samsung mobile devices. This out-of-bounds write flaw in the image processing library allows attackers to execute arbitrary code remotely by sending maliciously crafted images, leading to spyware deployment. US federal agencies must patch by December 1, 2025; all users should update their devices immediately.

Samsung Mobile Devices Zero-Day Vulnerability

CISA has flagged a critical zero-day vulnerability affecting Samsung mobile devices and added it to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-21042, is actively exploited in real-world attacks. CISA has ordered US federal civilian agencies to address it by December 1, 2025.

Samsung 0-Day RCE Vulnerability Exploited

Image courtesy of The Cyber News

Technical Details of CVE-2025-21042

The vulnerability is an out-of-bounds write flaw (CWE-787) in the libimagecodec.quram.so library used for image processing on Samsung devices. This flaw allows remote attackers to execute arbitrary code on vulnerable devices without user interaction. The National Vulnerability Database provides additional information on this vulnerability.

Exploitation and Impact

Attackers are leveraging this zero-day to compromise Samsung smartphones via maliciously crafted images. Successful exploitation could lead to data theft, surveillance, or the use of compromised devices as entry points into corporate networks. The vulnerability has been reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices.

Attack Chain

The attack chain involves sending a booby-trapped Digital Negative (DNG) image file via WhatsApp. The file contains ZIP archive payloads and tailored exploit code to trigger the vulnerability in Samsung’s image codec library. Processing the image alone is sufficient to compromise the device, requiring no user interaction.

Affected Devices

Device models targeted by LANDFALL include:

  • Galaxy S23 Series
  • Galaxy S24 Series
  • Galaxy Z Fold4
  • Galaxy S22
  • Galaxy Z Flip4

Remediation

Samsung addressed this issue in April 2025, and also addressed another image-library flaw, CVE-2025-21043, in September 2025.

Recommended Actions

  • Apply security patches from Samsung immediately.
  • Be cautious of unsolicited messages and files, especially images received over messaging apps like WhatsApp.
  • Download apps only from trusted sources like the Google Play Store and avoid sideloading files.
  • Use up-to-date real-time anti-malware solutions for your devices.
Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview
OpenSSL vulnerability

CVE-2025-15467: Critical OpenSSL RCE and DoS Vulnerability Overview

Urgent: OpenSSL 3.x vulnerable to CVE-2025-15467, enabling pre-auth RCE. Learn affected versions, impact, and immediate mitigation steps. Protect your systems now!

By Divyansh Ingle March 10, 2026 4 min read
common.read_full_article
SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now
SolarWinds Web Help Desk

SolarWinds Patches Critical Web Help Desk RCE Vulnerabilities Now

Critical RCE & Auth Bypass flaws in SolarWinds Web Help Desk are fixed! Don't risk it. Update to v2026.1 now to protect your systems. Learn more.

By Edward Zhou March 9, 2026 4 min read
common.read_full_article
AI vs Human Hackers: Who Prevails in 2026 Pen Testing?
AI hacking

AI vs Human Hackers: Who Prevails in 2026 Pen Testing?

Discover the results of a groundbreaking study comparing AI agents and human hackers in web vulnerability exploitation. See who prevails and what it means for your security. Read now!

By Jim Gagnard March 6, 2026 6 min read
common.read_full_article
Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends
vulnerability exploits

Vulnerability Exploits Lead Cyber Intrusions in 2026 Trends

Exploits are now the top intrusion method, outpacing phishing. Discover why rapid vulnerability patching is critical and how to bolster your defenses. Read more!

By Edward Zhou March 4, 2026 4 min read
common.read_full_article