Vulnerability Campaign Malware Activity Public Sector Action Security Patch Release

Samsung image library flaw used to deliver LANDFALL spyware

Updated 25.11.2025 08:42

Case score 68

Case score 68 Members 5 Latest activity 25.11.2025 08:42 Active exploitation KEV: CISA KEV Patch available CVSS: 9.8 Critical

Active exploitation KEV: CISA KEV Patch available CVSS: 9.8 Critical

Members 5 First seen 12.09.2025 12:48 Last seen 11.11.2025 12:30 Updated 25.11.2025 08:42

Overview

**CVE-2025-21042** in Samsung's image processing library was exploited as a zero-day to push **LANDFALL** spyware through malicious **DNG** images sent over **WhatsApp**. The activity affected selected Galaxy devices and was active before Samsung's April patch, with evidence dating back to July 2024. CISA later added the flaw to the **KEV** catalog and ordered US federal agencies to remediate it by **December 1** or stop using affected products if mitigations are unavailable. Samsung also patched **CVE-2025-21043** in the same library after reporting in-the-wild exploitation, but available evidence still does not quantify total reach or confirm a single public attribution.

Key facts

Attackers used **CVE-2025-21042** in Samsung's image processing library to push **LANDFALL** spyware through WhatsApp-delivered DNG images.
The activity was active since at least July 2024 and targeted Samsung Galaxy S22, S23, S24, Z Fold4, and Z Flip4 devices.
The payload path could trigger remote code execution with little or no user interaction.
The spyware was built for surveillance, including microphone recording, location tracking, and collection of device data.
CISA added **CVE-2025-21042** to the **KEV** catalog and set a **December 1** remediation deadline for US federal agencies.
Samsung later released **SMR Sep-2025 Release 1** for **CVE-2025-21043**, a separate out-of-bounds write in the same image library that Samsung said had been exploited in the wild.
Available evidence does not quantify reach or confirm a single public attribution for both Samsung flaws.

Malware context

1 families · 6 tools

Tools

Bridge Head Cytrox NSO Group Quadream Variston NSO

Signals

8 derived

Exploitation

Exploitation Active exploitation CVSS 9.8 Critical

CVEs/products

CVE CVE

Victims/regions

Victim region United States

Remediation

KEV CISA KEV Remediation Patch available

Threat context

Threat context LandFall

Member happenings

5 related

Vulnerability Samsung image processing library zero-day RCE (CVE-2025-21042)

Updated 07.11.2025 17:29 Lead Contribution 63

Exploitation Active Exploitation CVSS 9.8 Critical Patch Patch Available

**CVE-2025-21042** is a **Samsung image processing library** flaw that was **exploited as a zero-day** to deliver **LANDFALL** spyware and achieve **remote code execution** on affected **Samsung Galaxy** devices before Samsung’s **April** patch. The exploitation path involved a **specially crafted DNG image** delivered through **WhatsApp**, and CISA later cited the campaign as part of a broader wave of attacks against **mobile messaging apps** and high-value users. The same vulnerability thread is now also linked to a **Samsung** campaign targeting **Galaxy devices in the Middle East**.

View happening

Campaign LandFall WhatsApp DNG spyware campaign targeting Samsung devices in the Middle East

Updated 11.11.2025 12:30 Scoring Support Contribution 3

Campaign Active Objective Espionage

A **LandFall** spyware campaign has used **malicious DNG image files** over **WhatsApp** to target **Samsung devices** in the **Middle East**, raising covert surveillance risk. The operation has been active since **mid-2024** and may have relied on **zero-click exploits** to trigger **remote code execution**. It is designed for **microphone recording**, **location tracking**, and harvesting **photos, contacts, and call logs**. The tradecraft points to a persistent commercial spyware effort rather than a one-off lure.

View happening

Malware Activity LandFall spyware deployment via malicious WhatsApp .DNG images

Updated 07.11.2025 20:23 Scoring Support Contribution 2

Malware Backdoor Platform Android

The **LandFall** spyware operation used malicious **.DNG** images sent over **WhatsApp** to exploit Samsung’s **CVE-2025-21042**, execute code on targeted Galaxy phones, and keep access for spying. The activity affected select **Samsung Galaxy** users in the **Middle East** and supported **persistence**, **microphone recording**, and **call recording**. Samples seen as early as **July 23, 2024** show the operation had been active before the patch. Affected models included **Galaxy S22/S23/S24** and **Z Fold 4/Z Flip 4**.

View happening

Public Sector Action CISA adds CVE-2025-21042 to KEV catalog

Updated 11.11.2025 12:30 Context

Policy Stage Effective

**CISA** added **CVE-2025-21042** to the **KEV catalog**, triggering a formal federal response to a **Samsung** zero-day that had been reported as actively abused in spyware operations. The directive orders **US federal agencies** to apply vendor mitigations, follow **BOD 22-01** cloud guidance, or discontinue use if mitigations are unavailable. Agencies must comply by **December 1**, and the flaw is an **out-of-bounds write** bug with a **9.8 CVSS** score that Samsung patched in **April**.

View happening

Security Patch Release Samsung security patch release for CVE-2025-21043

Updated 12.09.2025 12:48 Context

Exploitation Active Exploitation Urgency High Patch Patch Available

**Samsung** released **SMR Sep-2025 Release 1** to fix **CVE-2025-21043**, a **critical remote code execution** flaw in **libimagecodec.quram.so** on **Android 13+** devices. Samsung said the bug is an **out-of-bounds write** and that an exploit had existed **in the wild**. The patch matters because unupdated devices could be remotely compromised through malicious image content.

View happening