cbcvebase.
CVE-2025-21042
published 2025-09-12

CVE-2025-21042: Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.

PriorityP191critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2025-12-01
Exploited in the wild
EPSS
11.61%
95.5th percentile
Out-of-bounds write in libimagecodec.quram.so prior to SMR Apr-2025 Release 1 allows remote attackers to execute arbitrary code.

Affected

3 ranges
VendorProductVersion rangeFixed in
samsungandroid
samsungandroid
samsungandroid

Detection & IOCsextracted from sources · hover to see the quote

filenamelibimagecodec.quram.so
filenameb.so
filenamel.so
path/data/data/com.samsung.ipservice/files/
  • Monitor WhatsApp Media directories for suspicious DNG files, which are used as the initial delivery vector for the LANDFALL spyware campaign exploiting this CVE.
  • Review device logs for execution of b.so (loader/backdoor) and l.so (privilege escalation) modules, which are the two-stage payload deployed post-exploitation.
  • Inspect the path /data/data/com.samsung.ipservice/files/ for anomalous files dropped by the LANDFALL spyware.
  • Weaponized DNG image files contain embedded ZIP archives with ELF binaries; scan incoming DNG files in messaging apps for embedded ZIP/ELF content.
  • The exploit achieves zero-click remote code execution — no user interaction is required. Prioritize detection at the network/media ingestion layer rather than relying on user-triggered indicators.
  • The campaign targets Galaxy S22/S23/S24 series, Z Fold4, and Z Flip4 devices running Android 13, 14, and 15; scope detection and patch prioritization to these specific models.
  • Look for SELinux bypass activity and persistent system-level access as post-exploitation indicators on Samsung devices.
  • The spyware collects IMEI, IMSI, contacts, and location data; monitor for unexpected exfiltration of these data types from Samsung devices.
  • C2 communication uses certificate pinning and encryption; look for anomalous encrypted outbound connections from Samsung devices, particularly from processes associated with com.samsung.ipservice.
  • ·The malware targets specific device models using hardcoded identifiers; exploitation may silently fail or behave differently on non-targeted Samsung models.
  • ·The LANDFALL spyware includes anti-forensics routines and analysis environment detection, which may hinder sandbox-based detection and dynamic analysis.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.