CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks
TL;DR
- CISA has identified a critical zero-day vulnerability, CVE-2025-21042, actively exploited in Samsung mobile devices. This out-of-bounds write flaw in the image processing library allows attackers to execute arbitrary code remotely by sending maliciously crafted images, leading to spyware deployment. US federal agencies must patch by December 1, 2025; all users should update their devices immediately.
Samsung Mobile Devices Zero-Day Vulnerability
CISA has flagged a critical zero-day vulnerability affecting Samsung mobile devices and added it to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-21042, is actively exploited in real-world attacks. CISA has ordered US federal civilian agencies to address it by December 1, 2025.
Technical Details of CVE-2025-21042
The vulnerability is an out-of-bounds write flaw (CWE-787) in the libimagecodec.quram.so library used for image processing on Samsung devices. This flaw allows remote attackers to execute arbitrary code on vulnerable devices without user interaction. The National Vulnerability Database provides additional information on this vulnerability.
Exploitation and Impact
Attackers are leveraging this zero-day to compromise Samsung smartphones via maliciously crafted images. Successful exploitation could lead to data theft, surveillance, or the use of compromised devices as entry points into corporate networks. The vulnerability has been reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices.
Attack Chain
The attack chain involves sending a booby-trapped Digital Negative (DNG) image file via WhatsApp. The file contains ZIP archive payloads and tailored exploit code to trigger the vulnerability in Samsung’s image codec library. Processing the image alone is sufficient to compromise the device, requiring no user interaction.
Affected Devices
Device models targeted by LANDFALL include:
- Galaxy S23 Series
- Galaxy S24 Series
- Galaxy Z Fold4
- Galaxy S22
- Galaxy Z Flip4
Remediation
Samsung addressed this issue in April 2025, and also addressed another image-library flaw, CVE-2025-21043, in September 2025.
Recommended Actions
- Apply security patches from Samsung immediately.
- Be cautious of unsolicited messages and files, especially images received over messaging apps like WhatsApp.
- Download apps only from trusted sources like the Google Play Store and avoid sideloading files.
- Use up-to-date real-time anti-malware solutions for your devices.
