Vulnerability Management, Endpoint/Device Security, Breach, Identity, Exposure management

Samsung flaw added to CISA list after spyware uncovered on devices

New Samsung Galaxy mobile smartphones is shown on retail display inside electronics store.

(Adobe Stock)

The Cybersecurity and Infrastructure Security Agency (CISA) on Nov. 10 added a critical 9.8 Samsung flaw to its Known Exploited Vulnerabilities (KEV) catalog.

CISA made the designation following a Nov. 7 Unit 42 blog post in which the researchers reported that the out-of-bounds bug — CVE-2025-21042 — was exploited in zero-day attacks that spread the commercial-grade LANDFALL Android spyware on high-end Samsung devices running WhatsApp.

According to the Unit 42 researchers the Samsung vulnerability was actively exploited in the wild since at least July 2024, well before Samsung patched it in April 2025.

However, the researchers said what was new in this case was that the exploit itself — and the commercial spyware used with it — had not yet been publicly reported and analyzed.

“Teams should treat CVE-2025-21042 and the LANDFALL spyware campaign as a high-priority mobile security event — not because this is a mass-scale consumer exploit, but because it demonstrates a maturing, commercial-grade mobile threat ecosystem with real operational tradecraft,” said Heath Renfrow, co-founder and chief information security officer at Fenix24.

Renfrow said attackers bypassed traditional controls by abusing image parsing and social messaging channels, deploying surveillance tooling with depth — call recording, location tracking, file exfiltration, and access to apps and messaging data.

“CISA’s directive underscores the national-security implications: mobile devices are now primary productivity and identity platforms, and adversaries know the enterprise perimeter lives in our pockets,” said Renfrow. “Executive teams, diplomats, and high-value operators are priority targets, but enterprise environments with BYOD programs are increasingly exposed.”

Michael Bell, founder and CEO at Suzu, Inc., said teams that allow WhatsApp and issue Samsung Galaxy devices should prioritize immediately for defense contractors, critical infrastructure, government agencies, or anyone with operations in targeted regions like the Middle East where attacks have concentrated.

“For purely domestic commercial organizations with standard corporate device policies, it’s a lower priority, but still warrants patching during your next cycle,” said Bell. “CISA’s KEV designation means active exploitation is happening, just not at mass scale.”

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationCorruptionDeepfakeDefacementDisassemblyDiscretionary Access Control (DAC)DisruptionDumpSecEndpoint SecurityEphemeral Port

You can skip this ad in 5 seconds