![\"CISA\"](\"https:\/\/www.europesays.com\/us\/wp-content\/uploads\/2025\/11\/CISA--headpic.jpg\")
<\/p>\n<\/p>\n
CISA ordered U.S. federal agencies today to patch a critical Samsung vulnerability that has been exploited in zero-day attacks to deploy LandFall spyware on devices running WhatsApp.<\/p>\n
Tracked as\u00a0CVE-2025-21042<\/a>, this\u00a0out-of-bounds write\u00a0security flaw was discovered in Samsung’s libimagecodec.quram.so library, allowing remote attackers to gain code execution on\u00a0devices running Android 13 and later.<\/p>\n While Samsung patched it in April<\/a> following a report from Meta and WhatsApp Security Teams,\u00a0Palo Alto Networks’ Unit 42 revealed last week that attackers had\u00a0been exploiting it\u00a0since\u00a0at least July 2024<\/a> to deploy\u00a0previously unknown LandFall spyware\u00a0via malicious DNG images sent over WhatsApp.<\/p>\n The spyware is capable of accessing the victim’s browsing history, recording calls and audio, tracking their location, as well as accessing photos, contacts, SMS, call logs, and files.<\/p>\n According to Unit 42’s analysis, it targets a wide range of\u00a0Samsung\u00a0flagship models, including\u00a0the Galaxy S22, S23, and S24 series devices, as well as the Z Fold 4 and Z Flip 4.<\/p>\n \u200bData from VirusTotal samples examined by Unit 42 researchers shows potential targets in Iraq, Iran, Turkey, and Morocco, while C2 domain infrastructure and\u00a0registration patterns share similarities with those seen in Stealth Falcon operations, which originated from the United Arab Emirates.<\/p>\n Another clue is the use of the “Bridge Head” name for the malware loader component, a naming convention commonly seen in commercial spyware developed by\u00a0NSO Group, Variston, Cytrox, and Quadream.\u00a0However, LandFall could not be confidently linked to any known spyware vendors or\u00a0threat groups.<\/p>\n \u00a0<\/p>\n CISA has now\u00a0added<\/a>\u00a0the CVE-2025-21042 flaw\u00a0to its\u00a0Known Exploited Vulnerabilities catalog<\/a>, which lists security bugs flagged as actively exploited in attacks, ordering\u00a0Federal Civilian Executive Branch (FCEB) agencies to secure their Samsung devices against ongoing attacks within three weeks, until December 1, as mandated by the Binding Operational Directive (BOD) 22-01.<\/p>\n FCEB agencies are non-military agencies within the U.S. executive branch, including the Department of Energy, the Department of the Treasury, the Department of Homeland Security, and the Department of Health and Human Services.<\/p>\n While this binding operational directive\u00a0only applies to federal agencies, CISA has urged all organizations to prioritize patching this security flaw\u00a0as soon as possible.<\/p>\n “This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise,” it warned.<\/p>\n “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable,” the cybersecurity agency added.<\/p>\n In September, Samsung released security updates to\u00a0patch another\u00a0libimagecodec.quram.so flaw<\/a>\u00a0(CVE-2025-21043) that was exploited in zero-day attacks targeting its Android devices.<\/p>\n![\"Wiz\"](\"https:\/\/www.europesays.com\/us\/wp-content\/uploads\/2025\/11\/AI-Data-Security-970x250.png\")
<\/a><\/p>\n![\"CVE-2025-21042](\"https:\/\/www.europesays.com\/us\/wp-content\/uploads\/2025\/11\/dmg.jpg\")
CVE-2025-21042 exploitation timeline (Unit 42)<\/p>\n
![\"Wiz\"](\"https:\/\/www.europesays.com\/us\/wp-content\/uploads\/2025\/11\/Secrets-Security-512x512.png\")
<\/a><\/p>\n