A newly identified security flaw threatens to compromise Samsung mobile devices, presenting a significant risk to their users. On November 10, 2025, the US Cybersecurity and Infrastructure Security Agency (CISA) included this vulnerability, known as CVE-2025-21042, in its Known Exploited Vulnerabilities (KEV) catalog. This catalog details vulnerabilities actively targeted in cyberattacks, signaling urgency for organizations to implement necessary patches.
"CISA’s addition of this vulnerability to the KEV catalog indicates an urgent need for organizations to take action and protect their systems," said a CISA representative. The ongoing risk is highlighted by the fact that this vulnerability has reportedly been exploited to deploy LANDFALL spyware on Galaxy devices, particularly in the Middle East. Such quick exploitation showcases how cybercriminals can swiftly adapt and act upon newly discovered vulnerabilities.
"CISA’s addition of this vulnerability to the KEV catalog indicates an urgent need for organizations to take action and protect their systems,"
CVE-2025-21042 is characterized as an out-of-bounds write vulnerability within Samsung’s image processing library. This type of flaw allows attackers to overwrite memory beyond its intended capacity, leading to memory corruption and potential unauthorized code execution. Specifically, it permits remote attackers to execute arbitrary code on the device, providing them with complete control without any user interaction required. "No clicks required. No warning given," emphasized a cybersecurity analyst discussing the implications.
While Samsung had issued a patch for this issue back in April 2025, CISA’s warning demonstrates the stark reality of exploitation taking place for several months. Attackers seem to be outpacing defenders, which raises critical concerns regarding data theft, surveillance, and the use of compromised devices as gateways to larger-scale enterprise attacks.
The method of exploitation is particularly insidious. Research from Unit 42 reveals criminals utilizing this vulnerability have sent malformed Digital Negative (DNG) image files via messaging platforms like WhatsApp to install LANDFALL spyware. DNG, a RAW image format, allows digital photographers to store uncompressed data. "This is a ‘zero-click’ attack. The user doesn’t have to tap, open, or execute anything. Just processing the image is enough to compromise the device," detailed a security researcher.
The attack process involves the following steps:
1. A victim receives a manipulated DNG photo file. 2. This file contains a ZIP archive payload and exploit code that triggers the vulnerability in Samsung’s image codec library. 3. The mere act of processing the image leads to device compromise.
Other vulnerabilities also pose similar threats. Samsung has recently addressed another flaw, categorized as CVE-2025-21043, which highlights a concerning trend: vulnerabilities in image processing are increasingly being targeted for cyberattacks. The frequency of these vulnerabilities indicates a growing risk landscape for mobile devices.
In light of this alarming development, experts recommend a series of proactive steps users and organizations can take. "Use up-to-date real-time anti-malware solutions on your devices and only download apps from trusted sources," advised cybersecurity professionals. Additionally, they warn to be cautious of unsolicited messages and files, especially images received via messaging applications.
"Use up-to-date real-time anti-malware solutions on your devices and only download apps from trusted sources,"
Immediate action is also vital. "If you haven’t updated your Samsung device since April, do so right away. Organizations under the Federal Civilian Executive Branch have until December 1, 2025, to comply with CISA’s operational directive regarding this vulnerability," stated another cybersecurity expert.
As the threat landscape continues to evolve with these mobile device exploits, the importance of awareness, swift patching, and robust security measures cannot be overstated. "The most dangerous attacks today are often the quietest—no user action is required and there are no obvious signs until it’s too late," cautioned a leading analyst in mobile cybersecurity.
"The most dangerous attacks today are often the quietest—no user action is required and there are no obvious signs until it’s too late,"
Affected devices include popular models such as the Galaxy S23, Galaxy S24, Galaxy Z Fold4, Galaxy S22, and Galaxy Z Flip4, making it essential for a large number of users to take heed of the risks.
In conclusion, as cybersecurity threats continue to affect our daily lives, safeguarding our mobile devices through timely updates and security practices remains crucial. LANDFALL serves as a stark reminder of the sophisticated tactics employed by cybercriminals and underscores the pressing need for vigilance and resilience in the face of evolving threats.