CISA has coordinated government offices in the U.S. to fix a basic defenselessness in Samsung versatile gadgets — one that has been effectively misused in the wild to introduce spyware.
SC Media
+3
Bleeping Computer
+3
The Programmer News
+3
Here are the key specialized details:
The defenselessness is followed as CVE‑2025‑21042, an out‑of‑bounds compose blemish in the Samsung library libimagecodec.quram.so, which is an image‑parsing library.
Bleeping Computer
+2
The Programmer News
+2
It influences gadgets running Android 13 and afterward (Samsung System lead arrangement: S22, S23, S24; Z Fold 4; Z Flip 4) agreeing to the security firm Palo Alto Networks Unit 42.
SC Media
+3
Bleeping Computer
+3
Forbes
+3
Attackers utilized this blemish to convey a spyware system named LANDFALL by means of noxious DNG picture records sent over WhatsApp. Timestamps and artifact investigation recommend the abuse was progressing at slightest since July 2024.
The Programmer News
+2
Forbes
+2
Samsung fixed the blemish in April 2025.
The Programmer News
+2
Forbes
+2
CISA included the powerlessness to its Known Misused Vulnerabilities (KEV) catalog and ordered government civilian official department (FCEB) offices to remediate it by December 1, 2025 beneath its Official Operational Order (BOD) 22‑01.
Bleeping Computer
+1
Why this matters
This occurrence is critical on numerous levels:
1. Zero‑day exploitation
A “zero‑day” implies that the powerlessness was obscure (or unpatched) when aggressors started misusing it. In this case:
The abuse was utilized in the wild earlier to Samsung’s fix discharge.
The Programmer News
+1
The assault vector is advanced: pernicious DNG picture records with implanted ZIP payloads, empowering inaccessible code execution without critical client interaction.
Forbes
+1
The malware is “commercial‑grade” spyware — showing proficient, focused on operation (not fair astute mass‑malware).
The Programmer News
+1
2. Profoundly touchy assault capabilities
Once introduced, LANDFALL gives aggressors wide reconnaissance capabilities:
Access to photographs, records, call logs, SMS messages, contacts.
Forbes
+1
Microphone recordings, area following.
The Programmer News
+1
Persistent embed engineering: the introductory loader brings assist modules from C2 framework.
The Programmer News
+1
Such capabilities go past conventional malware; they see like secret activities instruments. In fact, investigators note the assault foundation has similitudes to the operations of Stealth Hawk, a U.A.E.‑linked performing artist, in spite of the fact that no conclusive attribution has been made.
The Programmer News
+1
3. Focusing on lead portable devices
That this targets high‑end Samsung System gadgets is important:
Many associations (counting government) issue lead phones, regularly with less confinements than desktops/servers.
Mobile gadgets are progressively utilized for delicate work (mail, archives, communications). A compromised gadget opens a expansive assault surface.
4. Government mandate underscores urgency
CISA’s mandate means:
The U.S. government government considers this risk dynamic, sound and serious.
By including it to the KEV catalog, the imperfection is lifted to the level of public‑sector basic fixing.
Bleeping Computer
Agencies have until December 1, 2025 to remediate (generally three weeks from the order date of Nov 10) beneath BOD 22‑01.
Bleeping Computer
The powerlessness – more profound dive
Let’s unload what the imperfection is and how it works technically:
Out‑of‑bounds compose in picture parsing library
The library libimagecodec.quram.so is dependable for taking care of picture designs (like DNG) on Samsung gadgets. The defenselessness (CVE‑2025‑21042) is an out‑of‑bounds compose, meaning that when preparing a uncommonly created picture, memory exterior the expecting buffer can be overwritten. This can permit assailants to execute self-assertive code.
The Programmer News
+1
Because the library is utilized for picture translating, the assault vector is intelligent: send a pernicious picture (through WhatsApp) and trigger the blemish, at that point execute payloads. Undoubtedly, the abuse chain implants a ZIP document at the conclusion of a DNG picture. Once decoded, the chronicle drops a shared protest (SO) library, controls the Selina approach for determination, and interfaces to a C2 server.
Forbes
Deployment through WhatsApp image
The aggressors utilized WhatsApp to convey the pernicious pictures. Whereas it’s not affirmed whether the abuse required client interaction (opening the picture) or was zero‑click, the sign is that it might be zero‑click: the loader conduct recommends progressed stealth.
The Programmer News
+1
Scope of gadgets and exploitation
Palo Alto’s Unit 42 found the influenced gadgets incorporate the S22, S23, S24, Z Fold 4 and Z Flip 4 — all Samsung lead models.
The Programmer News
+1
Geographically, the target list shows up to incorporate Iraq, Iran, Turkey and Morocco (based on malware tests).
Bleeping Computer
+1
Related zero‑day (CVE‑2025‑21043)
Samsung too fixed another zero‑day in the same library: CVE‑2025‑21043. Whereas not affirmed to be portion of the LANDFALL campaign, it appears a design of abuse movement around the library.
The Programmer News
+1
CISA’s order & U.S. Government response
On November 10, 2025, CISA issued its mandate requesting government civilian official department (FCEB) offices to remediate this helplessness.
Bleeping Computer
What CISA said
The blemish “could permit inaccessible aggressors to execute self-assertive code” on Samsung versatile gadgets.
Bleeping Computer
It has been included to the Known Exploited Vulnerabilities (KEV) catalog.
Bleeping Computer
Under BOD 22‑01, the due date for FCEB organizations to apply the fix (or relief) is December 1, 2025.
Bleeping Computer
While the mandate as it were orders government office compliance, CISA “urged all associations to organize patching” the imperfection.
Bleeping Computer
What this implies in down to earth terms
Federal organizations must assess whether they have Samsung gadgets influenced, apply accessible patches, or apply mitigations (or suspend utilize) if fixing is not feasible.
This sets a point of reference for portable gadget vulnerabilities to be treated with the same direness as server/desktop flaws.
For associations past the U.S. government government, the counseling is a solid flag: the blemish is dynamic, misused in genuine assaults, and you ought to treat it as high‑risk.
Implications & takeaways for organizations
Even in spite of the fact that the mandate is U.S. federal‑focused, the suggestions apply more broadly. Here are key takeaways:
Risk assessment
If your association employments Samsung Universe gadgets (particularly lead models), accept they may be powerless unless patched.
Mobile gadgets are frequently less firmly overseen or solidified compared to servers; aggressors progressively target them.
The way this abuse works (picture by means of WhatsApp) implies bypassing conventional securities (e-mail channels, organize firewalls) is possible.
Patch management
Samsung discharged the fix in April 2025. If you have gadgets that are not upgraded, apply the overhaul quickly.
The Programmer News
+1
Verify that your portable gadget administration (MDM) or venture portability administration (EMM) arrangements have sent this upgrade and check for compliance.
If gadgets cannot be overhauled (bequest, unsupported adaptations), you require to evaluate mitigations: cripple powerless library utilization (in the event that conceivable), limit WhatsApp/image accepting, or limit gadget usage.
Mitigation & monitoring
Organizations ought to actualize mobile‑centric risk location: see for unusual conduct (amplifier enactment, area following, suspicious organize traffic).
Limit utilize of untrusted apps/messaging channels or uphold stricter arrangements on media connections (pictures, particularly DNG/RAW files).
Educate clients: indeed “trusted” informing apps can be vectors for progressed assaults; clients ought to introduce upgrades and be cautious with picture records gotten from obscure sources.
Supply chain / third‑party risk
This case appears a helplessness in a third‑party library (Quasit's picture codec). Associations dependent on seller gadgets must pay consideration not as it were to OS overhauls but moreover to vendor‑specific libraries and firmware.
It underscores the hazard in versatile environments: fix cadence may be slower, gadgets may stay in utilize unpatched for long periods, and the differences of gadget models increments exposure.
Attribution & danger on-screen character maturity
The malware campaign (LANDFALL) illustrates tall modernity: custom loaders, stealthy dispersion by means of DNG pictures, tirelessness modules, and real‑time C2 communication.
The Programmer News
+1
While the correct attribution remains dubious, similitudes to U.A.E.‑linked Stealth Bird of prey propose state‑level or state‑adjacent capabilities.
The Programmer News
+1
For associations in touchy divisions (government, basic foundation, high‑value targets), this demonstrates that versatile assaults are no longer solely opportunistic—they’re focused on, high‑stakes.
Broader versatile security posture
The case serves as a update: versatile gadgets are portion of the endpoint biological system and must get the same security consideration as desktops/servers.
Policies must cover gadget encryption, application whitelisting, media connection control, danger discovery, and quick patching.
Regular reviews of gadget show utilization, OS adaptation compliance, merchant firmware overhauls, and application of danger intel discoveries are essential.
What you (or associations) ought to do right now
Here are significant steps you can take:
Inventory your devices
Identify all Samsung World gadgets in your organization.
Check OS adaptation, fix level. Decide if any gadgets are on Android 13 or afterward and running defenseless library versions.
Apply the patch
Ensure the Samsung security overhaul (discharged April 2025) that fixes CVE‑2025‑21042 is connected. Numerous gadgets may auto‑update, but confirm compliance.
If utilizing MDM/EMM, thrust the upgrade over gadgets, and check for fizzled patches or non‑compliant devices.
Segment & confine high‑risk usage
If gadgets cannot be overhauled (unsupported models or custom ROMs), limit utilization to non‑sensitive functions.
Consider restricting establishment of informing apps from untrusted sources, debilitate DNG/raw picture preparing where possible.
Disable or screen applications that can get connections from untrusted contacts (since WhatsApp was the conveyance vector).
Monitor for signs of compromise
Establish logs/monitoring for portable gadget action: amplifier enactment, unused administrations beginning, abnormal organize activity to obscure C2 servers, huge outbound information from device.
Consider portable danger discovery arrangements (MTD) or endpoint assurance amplified to versatile devices.
User mindfulness & training
Inform clients approximately dangers of accepting unforeseen picture records (particularly by means of informing apps) and energize them to upgrade phones promptly.
Communicate that indeed apps they believe (e.g., WhatsApp) might be utilized as interruption vectors.
Update your security posture
Review your portable gadget security approaches: overhaul recurrence, antivirus/THREAT scope, media connection control, gadget decommissioning of unsupported hardware.
Ensure your seller gadget upgrade handle is opportune: portable sellers frequently slack in venture roll‑out; confirm seller notice and arrangement timelines.
Threat insights & defenselessness tracking
Subscribe to significant danger advisories (e.g., CISA KEV catalog) and seller security bulletins (Samsung).
Track third‑party library vulnerabilities (e.g., in picture codecs, media parsers) that may not be clear in standard helplessness scans.
Why this is pertinent past fair the U.S. government government
Even in spite of the fact that the CISA order is focused on at U.S. government organizations, the suggestions are global:
The misuse is utilized in the wild against gadgets in different nations (Iran, Iraq, Turkey, Morocco).
Forbes
+1
Samsung gadgets are all inclusive conveyed; associations and people around the world utilizing helpless models are at risk.
The supply‑chain perspective (picture library in lead gadget) appears how versatile gadgets progressively shape portion of the endeavor assault surface.
Many associations may not treat portable gadgets with the same direness they treat servers/PCs, but this occurrence appears that can’t proceed.
0 Comments