Overview
- CISA added CVE-2025-21042 to its Known Exploited Vulnerabilities catalog and directed U.S. federal civilian agencies to remediate by December 1, urging all organizations to prioritize updates.
- The flaw is an out‑of‑bounds write in Samsung’s libimagecodec.quram.so that enabled remote code execution on devices running Android 13 through 15.
- Attackers sent malformed DNG images, often resembling WhatsApp photos, to trigger zero‑click installation of LANDFALL, with researchers finding no unknown vulnerability in WhatsApp itself.
- Unit 42 traced activity to at least July 2024 in a targeted campaign against individuals in Iraq, Iran, Turkey, and Morocco rather than a broad malware spread.
- LANDFALL enabled extensive surveillance and targeted Galaxy S22–S24 and Z Fold4/Flip4 models, with infrastructure overlaps noted with Stealth Falcon but no firm attribution.