Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
CVE-2025-21042 has been added to the US cyber agency’s Known Exploited Vulnerabilities Catalog days after researchers outlined the LANDFALL spyware campaign.
A vulnerability in Samsung Mobile devices disclosed more than a year ago has just been added to the United States Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities Catalog.
CVE-2025-21042 is an out-of-bounds write vulnerability in libimagecodec.quram.so in devices prior to SMR Apr-2025 Release 1. The vulnerability could allow an attacker to run arbitrary code.
The vulnerability was first reported in September 2024 and addressed over six months later, in Samsung’s monthly Security Maintenance Release (SMR) process, in April 2025, alongside several dozen other vulnerabilities.
At the time, the issue impacted Android versions 13, 14, and 15.
Researchers at Palo Alto Networks’ Unit 42 outlined how a newly discovered, commercial-grade spyware platform had been observed exploiting the flaw.
“Unit 42 researchers have uncovered a previously unknown Android spyware family, which we have named LANDFALL,” Unit 42 said in a 7 November blog post.
“To deliver the spyware, attackers exploited a zero-day vulnerability (CVE-2025-21042) in Samsung’s Android image processing library.”
LANDFALL is delivered via malicious image files sent via the WhatsApp messaging platform, using a similar attack chain seen previously in incidents reported in previous months. However, LANDFALL appears to predate those disclosures and had likely been in circulation since the middle of 2024, targeting devices in the Middle East.
The spyware was capable of conducting “comprehensive surveillance”, according to Unit 42, and could access a device’s microphone, track its location, collect photos, and monitor call logs.
“The campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the Middle East, indicating possible links to private-sector offensive actors (PSOAs),” Unit 42 said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
