CISA Flags Spyware Zero-Day in Urgent Security Alert
▼ Summary
– US federal agencies must patch a critical zero-day vulnerability (CVE-2025-21042) in Samsung devices by December 1, as mandated by CISA.
– The flaw, with a CVSS score of 9.8, was exploited since mid-2024 to deploy LandFall spyware via malicious DNG image files sent through WhatsApp.
– LandFall spyware enables comprehensive surveillance, including recording audio, tracking location, and collecting photos, contacts, and call logs, primarily targeting Middle East victims.
– The campaign shares infrastructure and tactics with known commercial spyware operations, suggesting links to private-sector offensive actors (PSOAs).
– Affected Samsung devices include Galaxy S22, S23, S24, Z Fold4, and Z Flip4, with private sector organizations urged to apply mitigations for improved security.
A critical security alert has been issued by US authorities concerning a high-risk vulnerability affecting Samsung mobile devices. Federal agencies are now under a strict deadline to address this actively exploited flaw, which has been leveraged by attackers to install sophisticated spyware on targeted smartphones since the middle of last year.
Identified as CVE-2025-21042, this dangerous out-of-bounds write vulnerability carries a severe CVSS rating of 9.8. Samsung released a corrective patch for this issue back in April. However, recent findings from Palo Alto Networks reveal that malicious actors have been using this security gap in an ongoing surveillance operation since mid-2024.
In this campaign, a commercially developed spyware called LandFall was concealed within malicious DNG image files. These files were distributed to targets through WhatsApp messages. Researchers noted that the attack may have utilized zero-click exploit techniques, allowing the spyware to install itself and execute remote code without requiring any action from the device owner.
The tactics observed bear a strong resemblance to another exploit chain involving Apple and WhatsApp that came to light in August 2025. They also mirror methods associated with a different zero-day vulnerability, CVE-2025-21043, disclosed the following September. Importantly, the investigation did not uncover any previously unknown security flaws within the WhatsApp platform itself.
Palo Alto’s analysis indicates that LandFall spyware is engineered primarily for surveillance targets located in the Middle East. The malware provides attackers with comprehensive surveillance capabilities, enabling them to secretly record audio through the microphone, track the device’s physical location, and harvest personal data including photos, contact lists, and call history records.
The infrastructure and operational patterns used in this campaign share significant overlap with other known commercial spyware activities in the region. This similarity suggests potential connections to private-sector offensive actors, or PSOAs, who develop and sell surveillance tools.
A broad spectrum of Samsung devices are considered vulnerable to this threat. Affected models include popular Galaxy series phones such as the S22, S23, and S24, along with the Z Fold4 and Z Flip4 foldable devices.
The US Cybersecurity and Infrastructure Security Agency has formally added this vulnerability to its Known Exploited Vulnerabilities catalog. This designation mandates that all federal civilian agencies implement protective measures by December 1. Required actions include applying the vendor-provided security updates, adhering to specific guidance for cloud services, or discontinuing use of the products if no mitigation is available.
While the directive specifically applies to government bodies, private sector organizations are strongly advised to monitor the KEV catalog and apply relevant patches to strengthen their own security defenses against this active threat.
(Source: Info Security)
