Full Report
CISA ordered U.S. federal agencies today to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy LandFall spyware on devices running WhatsApp. [...]
Analysis Summary
# Vulnerability: Samsung libimagecodec Out-of-Bounds Write Exploited to Deploy LandFall Spyware
## CVE Details
- CVE ID: CVE-2025-21042
- CVSS Score: Not explicitly provided, but described as **critical** and actively exploited.
- CWE: Out-of-bounds Write (Inferred from description)
## Affected Systems
- Products: Samsung Devices running Android 13 and later, specifically noted flagship models including Galaxy S22, S23, S24 series, Z Fold 4, and Z Flip 4.
- Versions: Android 13 and later.
- Configurations: Vulnerable when processing specifically crafted DNG images.
## Vulnerability Description
The vulnerability is an out-of-bounds write security flaw discovered in Samsung's `libimagecodec.quram.so` library. Successful exploitation allows remote attackers to achieve code execution on affected devices. The flaw was leveraged by attackers to deliver LandFall spyware via malicious DNG image files sent over WhatsApp, without requiring further user interaction beyond image processing by the OS/application.
## Exploitation
- Status: **Exploited in the wild** (Zero-day used to deploy LandFall spyware).
- Complexity: Low/Medium (Exploited remotely via image file processing).
- Attack Vector: Network (via WhatsApp message containing the malicious image).
## Impact
- Confidentiality: **High** (Spyware gains access to browsing history, contacts, SMS, call logs, photos, and files).
- Integrity: **High** (Ability to execute arbitrary code allows system modification).
- Availability: **Medium/High** (Spyware deployment can impair device functionality).
## Remediation
### Patches
- Samsung released security updates addressing CVE-2025-21042 in **April [2025]**.
- CISA mandates Federal Civilian Executive Branch (FCEB) agencies apply the fix by **December 1, [2025]**.
### Workarounds
- Organizations urged to "Apply mitigations per vendor instructions."
- If mitigations are unavailable, discontinue use of the product immediately.
## Detection
- Indicators of Compromise: Successful exploitation leads to the deployment of LandFall spyware, capable of accessing extensive device data. Infrastructure patterns showed similarities to Stealth Falcon operations.
- Detection methods and tools: Analysis of DNG image processing components and monitoring for LandFall malware activity on endpoints are recommended. Reference Palo Alto Networks Unit 42 analysis for specific forensic artifacts.
## References
- Vendor Advisory (Samsung Security Update): hxxps://security.samsungmobile.com/securityUpdate.smsb?year=2025&month=04
- CISA KEV Catalog Addition: hxxps://www.cisa.gov/news-events/alerts/2025/11/10/cisa-adds-one-known-exploited-vulnerability-catalog
- NVD Entry: hxxps://nvd.nist.gov/vuln/detail/CVE-2025-21042