Find notable cyber news and cases, enriched with sources, timelines, and signals.
Vulnerability Campaign Malware Activity Public Sector Action Security Patch Release

Samsung image library flaw used to deliver LANDFALL spyware

Updated 25.11.2025 08:42
Case score 68
Case score 68 Members 5 Latest activity 25.11.2025 08:42
Active exploitation KEV: CISA KEV Patch available CVSS: 9.8 Critical
Members 5 First seen 12.09.2025 12:48 Last seen 11.11.2025 12:30 Updated 25.11.2025 08:42

Overview

**CVE-2025-21042** in Samsung's image processing library was exploited as a zero-day to push **LANDFALL** spyware through malicious **DNG** images sent over **WhatsApp**. The activity affected selected Galaxy devices and was active before Samsung's April patch, with evidence dating back to July 2024. CISA later added the flaw to the **KEV** catalog and ordered US federal agencies to remediate it by **December 1** or stop using affected products if mitigations are unavailable. Samsung also patched **CVE-2025-21043** in the same library after reporting in-the-wild exploitation, but available evidence still does not quantify total reach or confirm a single public attribution.

Signals

11 derived
Impact signals
Exploitation
Exploitation Active exploitation CVSS 9.8 Critical
CVEs/products
CVE CVE
Victims/regions
Victim region United States
Remediation
KEV CISA KEV Urgency High Remediation Patch available
Status
Campaign status Active Policy stage Effective
Threat context
Threat context LandFall

Malware context

1 families · 6 tools
Tools
Bridge Head Cytrox NSO Group Quadream Variston NSO

Member happenings

5 related
Vulnerability Samsung image processing library zero-day RCE (CVE-2025-21042)
Updated 07.11.2025 17:29 Lead Contribution 63
Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**CVE-2025-21042** is a **Samsung image processing library** flaw that was **exploited as a zero-day** to deliver **LANDFALL** spyware and achieve **remote code execution** on affected **Samsung Galaxy** devices before Samsung’s **April** patch. The exploitation path involved a **specially crafted DNG image** delivered through **WhatsApp**, and CISA later cited the campaign as part of a broader wave of attacks against **mobile messaging apps** and high-value users. The same vulnerability thread is now also linked to a **Samsung** campaign targeting **Galaxy devices in the Middle East**.

Campaign LandFall WhatsApp DNG spyware campaign targeting Samsung devices in the Middle East
Updated 11.11.2025 12:30 Scoring Support Contribution 3
Objective Espionage Campaign Active

A **LandFall** spyware campaign has used **malicious DNG image files** over **WhatsApp** to target **Samsung devices** in the **Middle East**, raising covert surveillance risk. The operation has been active since **mid-2024** and may have relied on **zero-click exploits** to trigger **remote code execution**. It is designed for **microphone recording**, **location tracking**, and harvesting **photos, contacts, and call logs**. The tradecraft points to a persistent commercial spyware effort rather than a one-off lure.

Malware Activity LandFall spyware deployment via malicious WhatsApp .DNG images
Updated 07.11.2025 20:23 Scoring Support Contribution 2
Malware Backdoor Platform Android Patch Patch Available

The **LandFall** spyware operation used malicious **.DNG** images sent over **WhatsApp** to exploit Samsung’s **CVE-2025-21042**, execute code on targeted Galaxy phones, and keep access for spying. The activity affected select **Samsung Galaxy** users in the **Middle East** and supported **persistence**, **microphone recording**, and **call recording**. Samples seen as early as **July 23, 2024** show the operation had been active before the patch. Affected models included **Galaxy S22/S23/S24** and **Z Fold 4/Z Flip 4**.

Public Sector Action CISA adds CVE-2025-21042 to KEV catalog
Updated 11.11.2025 12:30 Context
Policy Stage Effective Patch Patch Available

**CISA** added **CVE-2025-21042** to the **KEV catalog**, triggering a formal federal response to a **Samsung** zero-day that had been reported as actively abused in spyware operations. The directive orders **US federal agencies** to apply vendor mitigations, follow **BOD 22-01** cloud guidance, or discontinue use if mitigations are unavailable. Agencies must comply by **December 1**, and the flaw is an **out-of-bounds write** bug with a **9.8 CVSS** score that Samsung patched in **April**.

Security Patch Release Samsung security patch release for CVE-2025-21043
Updated 12.09.2025 12:48 Context
Exploitation Active Exploitation Urgency High Patch Patch Available

**Samsung** released **SMR Sep-2025 Release 1** to fix **CVE-2025-21043**, a **critical remote code execution** flaw in **libimagecodec.quram.so** on **Android 13+** devices. Samsung said the bug is an **out-of-bounds write** and that an exploit had existed **in the wild**. The patch matters because unupdated devices could be remotely compromised through malicious image content.