Content
A critical vulnerability has recently put Samsung mobile device users at significant risk of cyberattacks. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) added the flaw, tracked as CVE-2025-21042, to its Known Exploited Vulnerabilities (KEV) catalog. This catalog highlights vulnerabilities actively exploited in the wild and sets patch deadlines for federal agencies, signaling urgency to the cybersecurity community. The vulnerability was reportedly used in a zero-day remote code execution (RCE) attack to deploy LANDFALL spyware on Galaxy devices in the Middle East. Once a zero-day exploit is uncovered, other attackers tend to jump on the bandwagon, increasing the overall threat level.
The vulnerability lies in Samsung’s image processing library and is an out-of-bounds write flaw. Such issues allow attackers to overwrite memory beyond intended boundaries, often resulting in memory corruption, unauthorized code execution, and in this case, full device takeover. What makes CVE-2025-21042 particularly dangerous is that it requires no user interaction to succeed—no clicks, no warnings. Attackers can execute arbitrary code remotely and quietly gain control over a victim’s phone.
Samsung issued a patch for this vulnerability back in April 2025, but the recent alert from CISA indicates that the exploit has been active for months, with attackers staying ahead of defenders in some cases. The stakes here are high: compromised devices can lead to data theft, surveillance, and can be used as entry points for broader attacks on enterprises. The attack method is sophisticated and silent, making it difficult for users to detect until it’s too late.
Research from Unit 42 reveals that the attackers, likely private-sector offensive actors based in the Middle East, used this vulnerability to deliver LANDFALL spyware via malformed Digital Negative (DNG) image files sent over WhatsApp. DNG is an open RAW image format used mainly by photographers for lossless image data. The malicious DNG files contained ZIP archive payloads and exploit code that triggered the flaw in Samsung’s image codec library. Remarkably, this is a zero-click attack—the victim doesn’t have to open or interact with the file for the exploit to work. Simply processing the image is enough to compromise the device.
Adding to the concern, Samsung also patched a related image processing library flaw, CVE-2025-21043, in September 2025, pointing to a growing trend where image processing vulnerabilities are becoming favored attack vectors for espionage and cybercrime. Users and businesses need to act fast: if you haven’t updated your Samsung device since April, do it now. Federal agencies must comply by December 1, 2025. Besides patching, users should be cautious with unsolicited messages and image files, especially over messaging apps, avoid downloading apps from untrusted sources, and keep anti-malware solutions up to date.
Targeted device models include the Galaxy S23 and S24 series, Galaxy Z Fold4, Galaxy S22, and Galaxy Z Flip4. The rise of zero-day attacks targeting mobile devices shows how critical it is for users to stay vigilant and ensure timely updates. The LANDFALL spyware attack exemplifies how modern threats can operate silently, requiring no user action and leaving no obvious signs until damage is done. Protecting your device means staying updated, cautious, and using reliable security software.
