US federal agencies have been told to patch a zero-day vulnerability used by threat actors since last year to deploy spyware to Samsung devices.
The out-of-bounds write flaw CVE-2025-21042 has a CVSS score of 9.8 and was patched by Samsung in April. However, an analysis by Palo Alto Networks published last week claimed it had been used in a spyware campaign since mid-2024.
During that campaign, commercial-grade spyware known as LandFall was embedded in malicious DNG image files and sent via WhatsApp to targets. Zero-click exploits may have been used to achieve remote code execution without any user interaction, Palo Alto said.
“This method closely resembles an exploit chain involving Apple and WhatsApp that drew attention in August 2025,” it added.
“It also resembles an exploit chain that likely occurred using a similar zero-day vulnerability (CVE-2025-21043) disclosed in September. Our research did not identify any unknown vulnerabilities in WhatsApp.”
Read more on commercial spyware: France Warns Apple Users of New Spyware Campaign
According to Palo Alto’s analysis, LandFall is primarily designed to target victims in the Middle East and enables “comprehensive surveillance, including microphone recording, location tracking and collection of photos, contacts and call logs.”
The report adds: “The campaign shares infrastructure and tradecraft patterns with commercial spyware operations in the Middle East, indicating possible links to private-sector offensive actors (PSOAs).”
At risk are a wide range of Samsung devices, including Galaxy S22, S23, and S24, and Z Fold4 and Z Flip4.
CISA KEV Sets Deadline Date
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-21042 to its Known Exploited Vulnerabilities (KEV) catalog yesterday.
It requires federal agencies to take the following actions by December 1: “Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.”
Private sector organizations are also encouraged to follow KEV guidance where possible to improve their security posture.
Image credit: viewimage / Shutterstock.com