Remote Code Execution Vulnerability in Samsung's libimagecodec.quram.so Library Exploited in the Wild
Summary
Hide ▲
Show ▼
A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung has released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. Users are advised to update their devices to the latest security patch.
Timeline
-
12.09.2025 12:48 📰 2 articles · ⏱ 1d ago
Samsung patches actively exploited zero-day in libimagecodec.quram.so
A remote code execution vulnerability in Samsung's libimagecodec.quram.so library, tracked as CVE-2025-21043, was actively exploited in zero-day attacks targeting Samsung Android devices running Android 13, 14, 15, or 16. The flaw, reported by Meta and WhatsApp, allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. The CVSS score for the vulnerability is 8.8. Samsung released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR). The exploit may affect other instant messengers using the vulnerable library. The patch fixed the incorrect implementation in libimagecodec.quram.so.
Show sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
Information Snippets
-
The vulnerability, CVE-2025-21043, affects Samsung devices running Android 13 or later.
First reported: 12.09.2025 12:48📰 2 sources, 2 articlesShow sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
-
The flaw is in libimagecodec.quram.so, a closed-source image parsing library developed by Quramsoft.
First reported: 12.09.2025 12:48📰 2 sources, 2 articlesShow sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
-
The vulnerability is an out-of-bounds write weakness that allows remote code execution.
First reported: 12.09.2025 12:48📰 2 sources, 2 articlesShow sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
-
The exploit was reported by Meta and WhatsApp on August 13.
First reported: 12.09.2025 12:48📰 2 sources, 2 articlesShow sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
-
Samsung released a patch for the vulnerability in the September 2025 Security Maintenance Release (SMR).
First reported: 12.09.2025 12:48📰 2 sources, 2 articlesShow sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
-
The exploit may target other instant messengers that use the vulnerable library.
First reported: 12.09.2025 12:48📰 2 sources, 2 articlesShow sources
- Samsung patches actively exploited zero-day reported by WhatsApp — www.bleepingcomputer.com — 12.09.2025 12:48
- Samsung Fixes Critical Zero-Day CVE-2025-21043 Exploited in Android Attacks — thehackernews.com — 12.09.2025 18:16
Similar Happenings
CVE-2025-5086 in DELMIA Apriso Exploited in the Wild
A critical deserialization vulnerability (CVE-2025-5086) in Dassault Systèmes DELMIA Apriso Manufacturing Operations Management (MOM) software is being actively exploited. The flaw, with a CVSS score of 9.0, affects versions from Release 2020 through Release 2025. The vulnerability allows for remote code execution, and exploitation attempts have been observed originating from an IP address in Mexico. The attacks involve sending a malicious HTTP request with a Base64-encoded payload. The payload decodes to a Windows executable identified as "Trojan.MSIL.Zapchast.gen," a spyware capable of capturing user activities and sending collected information to attackers. DELMIA Apriso is used in production processes for digitalizing and monitoring, including scheduling production, quality management, resource allocation, warehouse management, and integration between production equipment and business applications. The flaw impacts critical industries such as automotive, aerospace, electronics, high-tech, and industrial machinery. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to the Known Exploited Vulnerabilities (KEV) catalog and is advising federal agencies to apply necessary updates by October 2, 2025.
Active exploitation of SAP S/4HANA command injection vulnerability CVE-2025-42957
A critical command injection vulnerability in SAP S/4HANA, tracked as CVE-2025-42957, is being actively exploited in the wild. The flaw allows attackers with low-privileged user access to execute arbitrary ABAP code, potentially leading to full system compromise. The vulnerability affects both on-premise and private cloud editions of SAP S/4HANA. The exploit can result in unauthorized modification of the SAP database, creation of superuser accounts, and theft of password hashes. Organizations are advised to apply patches immediately and monitor for suspicious activity. The vulnerability was fixed by the vendor on August 11, 2025, but several systems have not applied the available security updates, and these are now being targeted by hackers who have weaponized the bug. SecurityBridge discovered the vulnerability and reported it to SAP on June 27, 2025, and even assisted in the development of a patch. SecurityBridge and Pathlock have confirmed active exploitation of the vulnerability. The patch for CVE-2025-42957 is relatively easy to reverse engineer, and successful exploitation gives attackers access to the operating system and all data in the targeted SAP system. Organizations are urged to implement additional security measures, such as SAP's Unified Connectivity framework (UCON), to restrict RFC usage and monitor logs for suspicious activity.
High-Severity Use-After-Free Vulnerability in Chrome's V8 Engine Patched
Google has released Chrome 140 to patch a high-severity use-after-free vulnerability (CVE-2025-9864) in the V8 JavaScript engine. This flaw, reported by the Yandex Security Team, could lead to heap corruption and potential remote code execution (RCE) through crafted HTML pages. The update also addresses three medium-severity bugs in Chrome’s Toolbar, Extensions, and Downloads components. Users are advised to update immediately to mitigate risks. The vulnerability affects multiple platforms, including Windows, macOS, and Linux. Google has not reported any active exploitation in the wild.
Google Patches Two Zero-Day Vulnerabilities Under Active Exploitation in Android
Google released September 2025 Android security updates addressing 111 vulnerabilities, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities allow privilege escalation without user interaction. The patches include fixes for remote code execution, information disclosure, and denial-of-service issues across various components. The updates are part of Google's monthly security bulletin, with two patch levels released to provide flexibility for Android partners. The vulnerabilities were discovered by Benoît Sevens of Google's Threat Analysis Group (TAG).
WhatsApp Zero-Day Exploited in Targeted Spyware Campaign
A zero-day vulnerability in WhatsApp (CVE-2025-55177) was exploited in targeted attacks against fewer than 200 users. The flaw allowed unauthorized users to process content from arbitrary URLs on targeted devices. The attacks were sophisticated and involved chaining with a separate Apple vulnerability (CVE-2025-43300) affecting iOS, iPadOS, and macOS. The vulnerability was patched in WhatsApp's messaging apps for Apple iOS and macOS. The exploit could have allowed attackers to trigger the processing of content from arbitrary URLs on a target's device, potentially leading to spyware deployment. The attacks were part of a targeted spyware campaign, with WhatsApp sending in-app threat notifications to affected users. Apple has also sent multiple threat notifications since 2021, alerting users in over 150 countries about these sophisticated attacks. Apple has introduced Memory Integrity Enforcement (MIE) in the latest iPhone models to combat memory corruption vulnerabilities. The spyware market has seen an increase in U.S. investors and new entities in various countries.