Vulnerability
Campaign
Malware Activity
Public Sector Action
Security Patch Release
Samsung image library flaw used to deliver LANDFALL spyware
Updated 25.11.2025 08:42
Case score 68
Why this score?
Case score is a discovery signal based on public evidence, not a guaranteed risk rating. Use it to decide what to review first, then verify important details from the linked sources.
- Total
- 68
- Main story score
- 63
- Related evidence lift
- +5 / 20
- Contributing updates
- 2
- Context updates
- 2
Top contributors
- Vulnerability Defines the Samsung image-processing zero-day exploited before patching and anchors the Case. main
- Malware Activity Supplies direct evidence of malicious DNG delivery, persistence, and surveillance tooling used by LandFall. contributes
- Campaign Provides the LandFall campaign context, WhatsApp DNG delivery path, and spyware objective tied to CVE-2025-21042. contributes
- Public Sector Action Shows federal remediation pressure after CISA added CVE-2025-21042 to KEV and set a deadline. context
Case score 68
Members 5
Latest activity 25.11.2025 08:42
Active exploitation
KEV: CISA KEV
Patch available
CVSS: 9.8 Critical
Members 5
First seen 12.09.2025 12:48
Last seen 11.11.2025 12:30
Updated 25.11.2025 08:42
Overview
**CVE-2025-21042** in Samsung's image processing library was exploited as a zero-day to push **LANDFALL** spyware through malicious **DNG** images sent over **WhatsApp**. The activity affected selected Galaxy devices and was active before Samsung's April patch, with evidence dating back to July 2024.
CISA later added the flaw to the **KEV** catalog and ordered US federal agencies to remediate it by **December 1** or stop using affected products if mitigations are unavailable. Samsung also patched **CVE-2025-21043** in the same library after reporting in-the-wild exploitation, but available evidence still does not quantify total reach or confirm a single public attribution.
Attackers used **CVE-2025-21042** in Samsung's image processing library to deliver **LANDFALL** spyware to Galaxy devices through malicious **DNG** images sent over **WhatsApp**. The exploit path could trigger remote code execution with little or no user interaction, and the activity was already in use before Samsung patched the flaw in April. Available evidence says the campaign has been active since at least July 2024 and focused on selected Galaxy models, including the S22, S23, S24, Z Fold4, and Z Flip4. The payload was built for surveillance rather than simple intrusion, with functions described for microphone recording, location tracking, and collection of device data.
CISA later added **CVE-2025-21042** to the **KEV** catalog and told US federal agencies to apply vendor mitigations by **December 1** or discontinue use if mitigations are unavailable. Samsung also released **SMR Sep-2025 Release 1** for **CVE-2025-21043**, a separate out-of-bounds write in the same image library that Samsung said had been exploited in the wild. Available evidence points to sustained abuse of Samsung's image parsing stack through crafted image content, but it does not yet quantify reach or confirm a single public attribution for both flaws.
Signals
11 derivedImpact signals
Exploitation
Exploitation
Active exploitation
CVSS
9.8 Critical
CVEs/products
CVE
CVE
Victims/regions
Victim region
United States
Remediation
KEV
CISA KEV
Urgency
High
Remediation
Patch available
Status
Campaign status
Active
Policy stage
Effective
Threat context
Threat context
LandFall
Malware context
1 families · 6 toolsTools
Bridge Head
Cytrox
NSO Group
Quadream
Variston
NSO
Member happenings
5 related
Vulnerability
Samsung image processing library zero-day RCE (CVE-2025-21042)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Vulnerability
Samsung image processing library zero-day RCE (CVE-2025-21042)
Exploitation
Active Exploitation
CVSS
9.8 Critical
Patch
Patch Available
Campaign
LandFall WhatsApp DNG spyware campaign targeting Samsung devices in the Middle East
Objective
Espionage
Campaign
Active
Campaign
LandFall WhatsApp DNG spyware campaign targeting Samsung devices in the Middle East
Objective
Espionage
Campaign
Active
Malware Activity
LandFall spyware deployment via malicious WhatsApp .DNG images
Malware
Backdoor
Platform
Android
Patch
Patch Available
Malware Activity
LandFall spyware deployment via malicious WhatsApp .DNG images
Malware
Backdoor
Platform
Android
Patch
Patch Available
Public Sector Action
CISA adds CVE-2025-21042 to KEV catalog
Policy Stage
Effective
Patch
Patch Available
Public Sector Action
CISA adds CVE-2025-21042 to KEV catalog
Policy Stage
Effective
Patch
Patch Available
Security Patch Release
Samsung security patch release for CVE-2025-21043
Exploitation
Active Exploitation
Urgency
High
Patch
Patch Available
Security Patch Release
Samsung security patch release for CVE-2025-21043
Exploitation
Active Exploitation
Urgency
High
Patch
Patch Available