Patch now Samsung zero-day lets attackers take over your phone

A critical vulnerability, CVE-2025-21042, affecting Samsung mobile devices is actively being exploited in the wild, prompting the US Cybersecurity and Infrastructure Security Agency (CISA) to add it to its Known Exploited Vulnerabilities (KEV) catalog. This addition signals an urgent need for patching, especially for Federal Civilian Executive Branch (FCEB) agencies, which have a deadline of December 1, 2025, to comply with CISA’s operational directive. The zero-day flaw is an out-of-bounds write vulnerability in Samsung’s image processing library, allowing attackers to execute arbitrary code remotely and potentially gain complete control over a victim’s phone without any user interaction.\n\nThe vulnerability was reportedly exploited to deploy LANDFALL spyware on Galaxy devices in the Middle East. Attackers weaponized the vulnerability to deliver the spyware through malformed Digital Negative (DNG) image files sent via WhatsApp. The attack chain involves a victim receiving a booby-trapped DNG photo file, which contains ZIP archive payloads and tailored exploit code. Processing the image alone is enough to compromise the device, making it a zero-click attack. The exploitation of CVE-2025-21042 demonstrates how image processing flaws are becoming a favored entry point for both espionage and cybercrime.\n\nSamsung addressed this issue in April 2025, however, the continued active exploitation highlights the time lag between patching and widespread adoption, allowing attackers a window of opportunity. The affected device models include the Galaxy S23 Series, Galaxy S24 Series, Galaxy Z Fold4, Galaxy S22, and Galaxy Z Flip4. The stakes are high, including data theft, surveillance, and compromised mobile devices potentially serving as entry points for broader enterprise attacks. Samsung addressed another image-library flaw, CVE-2025-21043, in September 2025, reinforcing the trend of image processing flaws as attack vectors.\n\nTo mitigate the risk, users and businesses are urged to patch immediately, especially if devices haven’t been updated since April 2025. Security professionals should also advise users to be wary of unsolicited messages and files, particularly images received over messaging apps. Downloading apps only from trusted sources and avoiding sideloading files are crucial security practices. Implementing and maintaining up-to-date real-time anti-malware solutions on mobile devices can further reduce the attack surface. As LANDFALL illustrates, the most dangerous attacks today are often silent, requiring no user interaction and leaving no obvious signs until it’s too late, making proactive security measures essential.\n\nTo read the complete article, see: MalwareBytes Article.