In recent months, a critical zero-day vulnerability identified as CVE-2025-21042 has been actively exploited on Samsung Galaxy devices, posing a significant security risk to users worldwide. This flaw has been leveraged by the sophisticated LANDFALL spyware campaign, targeting high-value individuals in multiple countries with a stealthy, no-user-interaction exploit. This post outlines the vulnerability, associated threats, and CISA Known Exploited Vulnerabilities (KEV) advisory details to help security teams and users understand the impact and protective measures.
Understanding CVE-2025-21042: Samsung Galaxy Image Processing Flaw
CVE-2025-21042 is a critical memory corruption vulnerability in Samsung’s Galaxy image processing library, specifically within the libimagecodec.quram.so component. The flaw allows remote code execution via a crafted Digital Negative (DNG) image file, executed when the device processes the malicious image. Crucially, this exploit requires zero user interaction—meaning attackers can compromise devices merely by sending a malicious image through common messaging apps like WhatsApp.
Affected devices include popular Samsung Galaxy models running Android versions 13, 14, and 15, including the Galaxy S22, S23, S24 series, and foldable devices such as the Z Fold 4 and Z Flip 4. Samsung patched this vulnerability in its April 2025 Security Maintenance Release; however, devices that remain unpatched are highly vulnerable.
LANDFALL Spyware and Attack Campaign
The LANDFALL spyware is a commercial-grade spyware tool actively exploiting CVE-2025-21042. This spyware has been used in targeted espionage campaigns primarily across the Middle East, including Iraq, Iran, Turkey, and Morocco. Once exploited, the malware gains extensive access to sensitive data, including audio recordings, geolocation, photos, contacts, and call logs.
Attackers employ advanced tactics such as SELinux policy bypassing for privilege escalation, process injection, and encrypted command and control communication, making detection and mitigation challenging. This zero-click exploit enhances the threat’s severity, allowing compromise without any user action beyond receiving the malicious image.
CISA Known Exploited Vulnerabilities (KEV) Catalog Inclusion
Recognizing the critical nature and active exploitation of CVE-2025-21042, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion underscores the urgency for organizations and users to apply patches and implement detection controls.
CISA KEV Details for CVE-2025-21042
- CVE Identifier: CVE-2025-21042
- Vulnerability: Out-of-bounds write in Samsung Galaxy image codec (libimagecodec.quram.so)
- Attack Vector: Remote via crafted DNG image files
- Impact: Remote code execution without user interaction (zero-click)
- Patch Status: Patch released April 2025 (Samsung SMR)
- Known Exploitation: Confirmed active exploitation by LANDFALL spyware
- CISA Directive: Immediate patching and threat hunting recommended
Organizations are urged to prioritize patch management for affected Samsung devices and to monitor for indicators of compromise linked to LANDFALL spyware operations.
Mitigation and Recommendations
- Apply Patches: Users and organizations must update their Samsung devices immediately with the April 2025 Security Maintenance Release to remediate CVE-2025-21042.
- Monitor Messaging Channels: Inspect messaging apps for suspicious or unsolicited images, especially DNG files, and educate users on the risks.
- Threat Hunting: Security teams should deploy detection mechanisms to identify LANDFALL spyware indicators in network and device telemetry.
- Follow CISA Guidance: Stay informed of CISA KEV updates and implement recommended security measures to reduce exposure.
Conclusion
CVE-2025-21042 represents a high-risk vulnerability exploited at scale by the sophisticated LANDFALL spyware campaign. Its zero-click execution capability enables attackers to bypass user awareness completely, making timely patching and vigilance critical. With CISA’s addition of this vulnerability to the KEV catalog, cybersecurity teams have clear directives to address this threat urgently. Ensuring devices are updated and adopting rigorous monitoring will be vital steps in defending against this dangerous exploit.
Stay secure and keep your Samsung Galaxy devices patched.
