CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks

Samsung vulnerability zero-day exploit CVE-2025-21042 CISA KEV catalog mobile device security LANDFALL spyware
Edward Zhou
Edward Zhou

CEO & Co-Founder

 
November 12, 2025 2 min read
CISA Warns: Patch Samsung 0-Day RCE Flaw to Prevent Attacks

TL;DR

CISA has identified a critical zero-day vulnerability, CVE-2025-21042, actively exploited in Samsung mobile devices. This out-of-bounds write flaw in the image processing library allows attackers to execute arbitrary code remotely by sending maliciously crafted images, leading to spyware deployment. US federal agencies must patch by December 1, 2025; all users should update their devices immediately.

Samsung Mobile Devices Zero-Day Vulnerability

CISA has flagged a critical zero-day vulnerability affecting Samsung mobile devices and added it to the Known Exploited Vulnerabilities (KEV) catalog. The vulnerability, identified as CVE-2025-21042, is actively exploited in real-world attacks. CISA has ordered US federal civilian agencies to address it by December 1, 2025.

Samsung 0-Day RCE Vulnerability Exploited
Image courtesy of The Cyber News

Technical Details of CVE-2025-21042

The vulnerability is an out-of-bounds write flaw (CWE-787) in the libimagecodec.quram.so library used for image processing on Samsung devices. This flaw allows remote attackers to execute arbitrary code on vulnerable devices without user interaction. The National Vulnerability Database provides additional information on this vulnerability.

Exploitation and Impact

Attackers are leveraging this zero-day to compromise Samsung smartphones via maliciously crafted images. Successful exploitation could lead to data theft, surveillance, or the use of compromised devices as entry points into corporate networks. The vulnerability has been reportedly exploited as a remote code execution (RCE) zero-day to deploy LANDFALL spyware on Galaxy devices.

Attack Chain

The attack chain involves sending a booby-trapped Digital Negative (DNG) image file via WhatsApp. The file contains ZIP archive payloads and tailored exploit code to trigger the vulnerability in Samsung’s image codec library. Processing the image alone is sufficient to compromise the device, requiring no user interaction.

Affected Devices

Device models targeted by LANDFALL include:

  • Galaxy S23 Series
  • Galaxy S24 Series
  • Galaxy Z Fold4
  • Galaxy S22
  • Galaxy Z Flip4

Remediation

Samsung addressed this issue in April 2025, and also addressed another image-library flaw, CVE-2025-21043, in September 2025.

Recommended Actions

  • Apply security patches from Samsung immediately.
  • Be cautious of unsolicited messages and files, especially images received over messaging apps like WhatsApp.
  • Download apps only from trusted sources like the Google Play Store and avoid sideloading files.
  • Use up-to-date real-time anti-malware solutions for your devices.
Edward Zhou
Edward Zhou

CEO & Co-Founder

 

CEO & Co-Founder of Gopher Security, leading the development of Post-Quantum cybersecurity technologies and solutions.

Related News

Critical runC Vulnerabilities Allow Container Escape in Docker, Kubernetes
runc vulnerabilities

Critical runC Vulnerabilities Allow Container Escape in Docker, Kubernetes

Urgent! Three severe runC flaws allow container escape in Docker & Kubernetes. Update now to protect your systems from root access. Learn more!

By Alan V Gutnov November 11, 2025 4 min read
Read full article
AIVSS: Bridging AI Security Gaps for Safer Applications
OWASP AIVSS

AIVSS: Bridging AI Security Gaps for Safer Applications

Discover the OWASP AI Vulnerability Scoring System (AIVSS) for assessing AI security risks. Learn about its framework, deliverables, and how it closes the gap with CVSS. Explore the AIVSS calculator and join the project!

By Alan V Gutnov November 10, 2025 5 min read
Read full article
Criminals Profit from Growing Market for Illicit AI Tools
AI cybercrime

Criminals Profit from Growing Market for Illicit AI Tools

Criminals are leveraging AI to create sophisticated malware and automate attacks. Discover the latest AI threats and how they're evolving. Learn more!

By Alan V Gutnov November 7, 2025 2 min read
Read full article
Google Discovers PROMPTFLUX Malware Leveraging AI for Evasion
AI malware

Google Discovers PROMPTFLUX Malware Leveraging AI for Evasion

Discover how threat actors are weaponizing AI & LLMs like Gemini for sophisticated malware evasion and attacks. Learn about PromptFlux, QuietVault & more. Stay protected!

By Edward Zhou November 6, 2025 3 min read
Read full article