CVE-2025-21042 Update
Lookout Coverage and Recommendation for Admins
To ensure your devices are protected, users should avoid opening image files from unknown or unsolicited sources, especially if using older OS versions. Lookout admins should ensure all users:
- Patch Compliance: Leverage patch level policy to flag devices running an Android Security Patch Level (ASPL) older than the April 5, 2025 release, as this specific update contains the fix for the critical out-of-bounds write flaw.
- Threat Prevention: Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that deliver exploit URLs.
- Risk Management: Continuously monitor device status, as vulnerabilities like these can grant attackers broad access and lead to data leakage for enterprise organizations..
Overview
CISA has issued updated guidance for CVE-2025-21042, a critical out-of-bounds write vulnerability found in Samsung mobile devices. The flaw specifically resides in the libimagecodec.quram.so library, the core image processing component, and affects versions prior to the April 5, 2025 release. This vulnerability was actively exploited in the LANDFALL spyware campaign, which targeted flagship models—including the Galaxy S22, S23, S24, Z Fold4, and Z Flip4—running Android versions 13 through 16.
Devices are at risk from a vulnerability that can be exploited by merely processing a malicious DNG (Digital Negative) image file containing embedded spyware. This exploit chain is particularly dangerous because it's delivered through messaging applications like WhatsApp using a zero-click or near-zero-click method. This means a device can be compromised without the user even needing to open the image.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its catalog of Known Exploited Vulnerabilities (KEV), confirming it has been actively exploited in the wild. This CVE is patched by the SMR Apr-2025 Release 1. It is worth noting that the previous Samsung Technical Guidance (TG) covering CVE-2025-21043, which was patched in the SMR Sep-2025 Release 1, already supersedes this patch level.
United States government organizations are required to have all vulnerable devices patched by December 1, 2025.
Enterprise Guidance: While CISA’s requirement is only for U.S. government organizations, their guidance should be considered a critical source of information and a call to action for all enterprise organizations, as well.
Lookout Analysis
Regardless of who builds software, it is rarely perfect. What’s most concerning about this vulnerability is that it doesn’t require the target to perform any action. Since mobile devices typically default to automatically process images in apps like Messages, Safari, or Mail, the end user could open the door for an attacker without ever knowing it.
Without visibility into vulnerable devices across your mobile fleet, your organization and its data could be exposed to threats like this. To feed data and more into your SIEM, SOAR, EDR, or XDR, be sure to integrate Lookout with those tools via the Mobile Intelligence APIs. You can learn how to set up those APIs in this interactive demo.
Authors
Lookout
