Overview
- The U.S. cybersecurity agency added CVE-2025-21042 to its Known Exploited Vulnerabilities list and set a December 1 deadline for federal agencies to patch affected Samsung devices.
- Palo Alto Networks’ Unit 42 disclosed that LANDFALL used malformed DNG images to trigger an out-of-bounds write in Samsung’s libimagecodec.quram.so, enabling remote code execution without user interaction.
- Samsung fixed the vulnerability in its April 2025 security update, and researchers say exploitation in the wild stretched back to at least July 2024.
- Infections were identified in Turkey, Iran, Iraq, and Morocco, with evidence pointing to precision espionage rather than mass distribution.
- Targets included Galaxy S22, S23, and S24 models as well as Z Fold4 and Z Flip4, the spyware could record audio, track location, and exfiltrate data, and researchers reported WhatsApp was only a delivery channel with no unknown flaw found in the app.