CISA Orders Feds to Patch Samsung Zero-Day Used in Spyware Attacks

Estimated reading time: 12 minutes

Key takeaways:

  • CISA has issued an urgent directive for federal agencies to patch a critical Samsung zero-day vulnerability.
  • The vulnerability, CVE-2025-21042, is actively exploited to deploy LandFall spyware via WhatsApp.
  • Organizations are advised to apply patches immediately and enhance mobile device security measures.

Table of Contents:

The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent directive for U.S. federal agencies to address a critical Samsung zero-day vulnerability actively exploited in spyware campaigns. This flaw, identified as CVE-2025-21042, has been weaponized to deploy LandFall spyware on devices running WhatsApp.

CVE-2025-21042: A Deep Dive into the Samsung Zero-Day

CVE-2025-21042 is an out-of-bounds write vulnerability residing in Samsung’s libimagecodec.quram.so library. This security flaw allows remote attackers to execute arbitrary code on targeted devices running Android 13 and later. The vulnerability was initially patched by Samsung in April, following a report from the security teams at Meta and WhatsApp. However, Palo Alto Networks’ Unit 42 discovered that attackers had been actively exploiting it since at least July 2024 to deliver the previously unknown LandFall spyware through malicious DNG images sent via WhatsApp.

Samsung phone infected through zero-day spyware exploit

Unit 42’s analysis indicates that a wide array of Samsung flagship models are vulnerable, including the Galaxy S22, S23, and S24 series, as well as the Z Fold 4 and Z Flip 4. Data extracted from VirusTotal samples suggests potential targets located in Iraq, Iran, Turkey, and Morocco. Further analysis of command-and-control (C2) domain infrastructure and registration patterns reveals similarities to those observed in Stealth Falcon operations, which are believed to originate from the United Arab Emirates.

Another indicator lies in the use of the “Bridge Head” name for the malware loader component. This naming convention is frequently associated with commercial spyware developed by vendors like NSO Group, Variston, Cytrox, and Quadream. Despite these clues, a definitive link between LandFall and any known spyware vendors or specific threat groups has not been established.

Given the severity and active exploitation of CVE-2025-21042, CISA has added it to its Known Exploited Vulnerabilities catalog. This catalog lists security vulnerabilities that are known to be actively exploited in attacks. As mandated by Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to secure their Samsung devices against these attacks by December 1. FCEB agencies include non-military entities within the U.S. executive branch, such as the Department of Energy, the Department of the Treasury, the Department of Homeland Security, and the Department of Health and Human Services.

Although this directive is specifically binding for federal agencies, CISA has strongly advised all organizations to prioritize patching this security flaw as quickly as possible. CISA emphasized that “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.” CISA recommends applying mitigations as per vendor instructions, adhering to applicable BOD 22-01 guidance for cloud services, or discontinuing the use of the product if mitigations are unavailable.

This incident highlights the critical importance of proactive breach detection and rapid response strategies, particularly in the face of zero-day exploits.

Understanding the LandFall Spyware

The LandFall spyware, deployed via CVE-2025-21042, represents a significant threat due to its ability to compromise devices through a simple WhatsApp message containing a malicious DNG image. This method circumvents traditional security measures, making it crucial to understand its capabilities and how it evades detection.

According to available information, LandFall operates by exploiting the out-of-bounds write vulnerability in Samsung’s image processing library. Once the DNG image is processed by the vulnerable device, the spyware gains code execution, allowing it to perform a range of malicious activities. These activities may include:

  • Data Exfiltration: Stealing sensitive information such as contacts, messages, photos, and location data.
  • Remote Control: Gaining unauthorized access to the device’s camera and microphone for surveillance.
  • Credential Harvesting: Capturing usernames, passwords, and other credentials stored on the device.
  • Privilege Escalation: Obtaining elevated privileges to further compromise the device and potentially the network it is connected to.

The sophistication of LandFall is evident in its use of the “Bridge Head” malware loader, a component with naming conventions similar to those used by known commercial spyware vendors. This suggests that the developers of LandFall have either acquired or emulated techniques employed by advanced threat actors.

Practical Takeaways and Actionable Advice

This situation presents both technical and non-technical challenges. Here’s a breakdown of practical steps organizations can take to mitigate the risks associated with CVE-2025-21042 and similar threats:

Technical Measures:

  1. Patch Immediately: Apply the security updates released by Samsung to address CVE-2025-21042 on all affected devices. This is the most critical step in mitigating the vulnerability.
  2. Implement Real-Time Threat Intelligence: Utilize a cyber threat intelligence platform that provides real-time ransomware intelligence and brand leak alerting to stay informed about emerging threats and vulnerabilities.
  3. Enhance Mobile Device Management (MDM): Improve MDM policies to ensure that all devices are regularly updated with the latest security patches. Enforce strong password policies and enable multi-factor authentication (MFA) where possible.
  4. Network Segmentation: Segment the network to limit the potential impact of a compromised device. Isolate critical systems and data from less secure areas of the network.
  5. Monitor Network Traffic: Implement network monitoring tools to detect suspicious activity, such as unusual data transfers or connections to known malicious IP addresses. Consider a dark web monitoring service to identify potential threats targeting your organization.
  6. Endpoint Detection and Response (EDR): Deploy EDR solutions on mobile devices to detect and respond to malicious activity. EDR can provide visibility into endpoint behavior and help identify and contain threats before they cause significant damage.
  7. Supply-Chain Risk Monitoring: Conduct a comprehensive supply-chain risk monitoring assessment to identify vulnerabilities within your vendor ecosystem. Ensure that third-party vendors also adhere to stringent security practices.

Non-Technical Measures:

  1. Employee Training: Educate employees about the risks of phishing attacks and social engineering tactics. Emphasize the importance of verifying the authenticity of messages and attachments before opening them.
  2. Incident Response Plan: Develop and regularly test an incident response plan that outlines the steps to be taken in the event of a security breach. This plan should include procedures for identifying, containing, and eradicating threats, as well as for recovering data and systems.
  3. Security Audits: Conduct regular security audits to identify vulnerabilities and assess the effectiveness of security controls. These audits should include both technical assessments and reviews of security policies and procedures.
  4. Executive Awareness: Ensure that executive leadership is aware of the potential impact of cyber threats and the importance of investing in cybersecurity. Secure their support for implementing and maintaining effective security measures.
  5. Telegram Threat Monitoring: Consider implementing telegram threat monitoring to stay informed about potential threats discussed within relevant channels and groups.
  6. Underground Forum Intelligence: Leverage underground forum intelligence to gain insights into emerging attack techniques and vulnerabilities. This can provide early warning of potential threats targeting your organization.

PurpleOps and Proactive Cybersecurity

The incident involving CVE-2025-21042 underscores the need for a proactive and multi-layered approach to cybersecurity. PurpleOps specializes in providing comprehensive cybersecurity solutions that address the evolving threat landscape. Our services include:

  • Cyber Threat Intelligence: Gain access to actionable threat intelligence to stay ahead of emerging threats. Our cyber threat intelligence platform provides real-time insights into attacker tactics, techniques, and procedures (TTPs).
  • Dark Web Monitoring: Monitor the dark web for stolen credentials, leaked data, and other sensitive information. Our dark web monitoring service helps you identify and mitigate potential threats before they can impact your organization.
  • Breach Detection: Implement advanced breach detection technologies to identify and respond to security incidents quickly and effectively.
  • Supply Chain Information Security: Protect your organization from third-party risks with our comprehensive supply-chain risk monitoring solutions.
  • Real-time Ransomware Intelligence: Stay one step ahead of ransomware attacks with our real-time ransomware intelligence feed. Access a live ransomware API to integrate intelligence into your security tools.
  • Red Team Operations and Penetration Testing: Simulate real-world attacks to identify vulnerabilities and weaknesses in your security posture.
  • Brand Leak Alerting: Receive immediate notifications of any leaks or mentions of your brand or sensitive information on public or private forums.
  • Underground Forum Intelligence: Gain insights into emerging attack techniques and vulnerabilities discussed in underground forums.

By leveraging our expertise and services, organizations can strengthen their security posture, mitigate the risk of cyberattacks, and protect their valuable assets.

The September release of security updates from Samsung to patch another libimagecodec.quram.so flaw (CVE-2025-21043) that was exploited in zero-day attacks targeting its Android devices further underscores the importance of continuous monitoring, patching, and adaptation to the constant stream of cyber threats.

For more information about how PurpleOps can help your organization enhance its cybersecurity defenses, please visit our website and website. You can also explore our specific offerings for ransomware protection at ransomware protection and dark web monitoring at dark web monitoring. Consider a comprehensive risk assessment such as supply-chain risk monitoring found here.

FAQ

Q: What is CVE-2025-21042?

A: CVE-2025-21042 is an out-of-bounds write vulnerability in Samsung’s libimagecodec.quram.so library, allowing remote attackers to execute arbitrary code.

Q: What devices are affected by CVE-2025-21042?

A: A wide array of Samsung flagship models are vulnerable, including the Galaxy S22, S23, and S24 series, as well as the Z Fold 4 and Z Flip 4.

Q: How is the LandFall spyware deployed?

A: The LandFall spyware is deployed through malicious DNG images sent via WhatsApp, exploiting the CVE-2025-21042 vulnerability.

Q: What should organizations do to mitigate the risk?

A: Organizations should apply the security updates released by Samsung, enhance mobile device management policies, monitor network traffic, and educate employees about phishing attacks.

Q: What is PurpleOps?

A: PurpleOps is a cybersecurity company that provides comprehensive cybersecurity solutions, including cyber threat intelligence, dark web monitoring, and breach detection.