CISA has added CVE-2025-21042, a vulnerability affecting Samsung mobile devices, to its Known Exploited Vulnerabilities (KEV) catalog, and has ordered US federal civilian agencies to address it by the start of December.
“This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” the Cybersecurity and Infrastructure Security Agency noted.
In this particular case, the danger for federal agencies might be higher than usual, as this vulnerability has reportedly been leveraged to deliver commercial-grade Android spyware, possibly on behalf of government entities.
About CVE-2025-21042
CVE-2025-21042 is an out-of bounds write vulnerability in the libimagecodec.quram.so library, used by Samsung mobile devices for image processing. It may allow remote attackers to execute arbitrary code on a vulnerable device.
A fix for CVE-2025-21042 was released in April 2025, but in the preceding months it was used by attackers to deliver the LANDFALL spyware.
“The exploit chain possibly involved zero-click delivery using maliciously crafted images, similar to recent exploit chains seen on iOS and Samsung Galaxy,” Palo Alto Networks researchers noted.
“This method closely resembles an exploit chain involving [an iOS zero-day vulnerability affecting DNG image parsing] and [a WhatsApp zero-day vulnerability] that drew attention in August 2025. It also resembles an exploit chain that likely occurred using a similar zero-day vulnerability (CVE-2025-21043) disclosed [and patched] in September [2025].”
About the LANDFALL spyware
The researchers discovered “several previously undetected DNG image files containing embedded Android spyware that were uploaded to VirusTotal throughout 2024 and early 2025,” and their file names suggest that they were delivered via WhatsApp.
“The malformed DNG image files we discovered have an embedded ZIP archive appended to the end of the file,” the researchers explained.
“The exploit extracts shared object library (.so) files from the embedded ZIP archive to run LANDFALL spyware.”
A subsequent analysis of the samples revealed that the embedded modular spyware is designed specifically for Samsung Galaxy devices.
Its capabilities include device fingerprinting (i.e., collecting information on the device, installed applications, VPN status, etc.) and data exfiltration: the spyware can switch on the microphone, record calls, harvest contacts, grab SMS/messaging data and photos, etc.
It’s also able to persist on the device and perform actions aimed at hiding its presence from the user and mobile security solutions.
“The analysis of the loader reveals evidence of commercial-grade activity,” they added.
“However, we have not directly analyzed the next-stage components of the spyware. Additional details on this or on the exact delivery method would provide even more insight into the malicious activity.”
Attack attribution
Based on the VirusTotal submission data for the malicious DNG files, potential targets for the spyware were located in Iran, Turkey, and Morocco.
“Turkey’s national CERT (…) reported IP addresses used by LANDFALL’s C2 servers as malicious, mobile- and APT-related, which also supports the possible targeting of victims in Turkey,” the researchers shared.
Even though LANDFALL’s C2 infrastructure and domain registration patterns share similarities to infrastructure associated with Stealth Falcon – a threat group that has conducted targeted spyware attacks against journalists and activists in the United Arab Emirates – the lack of additional overlapping indicators has prevented the researchers from attributing the LANDFALL activity to a known private-sector offensive actor (i.e., cyber mercenary) or other threat actor.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
