Samsung patched a critical zero-day vulnerability (CVE-2025-21043) in its Android devices (Android 13+), exploited in real-world attacks. The flaw, an **out-of-bounds write** in *libimagecodec.quram.so* (a third-party image parsing library by Quramsoft), allowed **remote code execution (RCE)** via malicious images. Exploits were detected in the wild, with Meta/WhatsApp reporting the issue on **August 13**. While Samsung did not confirm if attacks were limited to WhatsApp users, the vulnerability posed risks to any app using the affected library. The flaw enabled attackers to **execute arbitrary code** on targeted devices without user interaction, potentially leading to **spyware deployment, data theft, or device takeover**. Concurrently, Samsung’s *MagicINFO 9 Server* (a CMS used in airports, hospitals, and retail) was targeted via another RCE flaw (CVE-2024-7399), allowing **unauthenticated malware deployment**. Though no direct link was confirmed, the combined risks highlighted systemic exposure in Samsung’s ecosystem. The company urged updates but did not disclose attack scale or victim details. The exploitation aligns with **sophisticated, targeted campaigns**, possibly linked to state-sponsored or mercenary spyware groups (e.g., NSO Group-like actors).
TPRM report: https://www.rankiteo.com/company/samsung-electronics
"id": "sam3132231091225",
"linkid": "samsung-electronics",
"type": "Vulnerability",
"date": "6/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of Samsung Android '
'Devices (Android 13+)',
'industry': 'Technology (Consumer Electronics)',
'location': 'Global (Headquartered in Suwon, South '
'Korea)',
'name': 'Samsung Electronics',
'size': 'Large (Multinational)',
'type': 'Corporation'},
{'customers_affected': 'WhatsApp Users on Samsung '
'Android Devices (potential '
'overlap with CVE-2025-21043) '
'and iOS/macOS (CVE-2025-55177)',
'industry': 'Technology (Social Media/Messaging)',
'location': 'Global (Headquartered in Menlo Park, USA)',
'name': 'Meta (WhatsApp)',
'size': 'Large (Multinational)',
'type': 'Corporation'},
{'customers_affected': 'iOS/macOS Users (via '
'CVE-2025-43300)',
'industry': 'Technology (Consumer Electronics)',
'location': 'Global (Headquartered in Cupertino, USA)',
'name': 'Apple Inc.',
'size': 'Large (Multinational)',
'type': 'Corporation'},
{'industry': 'Multiple (Public/Private Sectors)',
'location': 'Global',
'name': 'Organizations Using Samsung MagicINFO 9 '
'Server',
'type': ['Airports',
'Retail Chains',
'Hospitals',
'Enterprises',
'Restaurants']}],
'attack_vector': ['Malicious Image Files',
'Exploit Chain (CVE-2025-55177 + CVE-2025-43300 for '
'WhatsApp/iOS/macOS)'],
'customer_advisories': ['Update devices immediately.',
'Reset devices to factory settings if potentially '
'compromised (WhatsApp users).',
'Monitor for unusual activity (e.g., spyware '
'indicators).'],
'data_breach': {'data_exfiltration': ['Potential (via Spyware Campaign)'],
'personally_identifiable_information': ['Potential (if '
'spyware deployed)']},
'date_detected': '2025-08-13',
'date_resolved': '2025-09-01',
'description': 'Samsung has patched a critical remote code execution (RCE) '
'vulnerability (CVE-2025-21043) in its Android devices, '
'exploited in zero-day attacks. The flaw resides in '
'libimagecodec.quram.so, a closed-source image parsing library '
'by Quramsoft, and is caused by an out-of-bounds write '
'weakness. The vulnerability affects Samsung devices running '
'Android 13 or later and was reported by Meta and WhatsApp '
'security teams on August 13. Exploits were observed in the '
'wild, potentially targeting WhatsApp users and other instant '
'messengers using the vulnerable library. Samsung urged users '
'to update their devices. Separately, WhatsApp patched a '
'zero-click vulnerability (CVE-2025-55177) chained with an '
'Apple zero-day (CVE-2025-43300) in targeted spyware attacks, '
'advising users to reset devices to factory settings.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in '
'Samsung/Meta Security',
'Negative Publicity'],
'identity_theft_risk': ['High (if spyware deployed successfully)'],
'operational_impact': ['Potential Device Compromise',
'Spyware Deployment',
'Malware Distribution'],
'systems_affected': ['Samsung Android Devices (Android 13+) with '
'libimagecodec.quram.so',
'WhatsApp iOS/macOS Clients (via '
'CVE-2025-55177 + CVE-2025-43300)',
'Samsung MagicINFO 9 Server (CVE-2024-7399)']},
'initial_access_broker': {'backdoors_established': ['Potential (via Spyware '
'Deployment)'],
'entry_point': ['Malicious Image Files '
'(CVE-2025-21043)',
'Zero-Click Exploit (CVE-2025-55177 '
'for WhatsApp)'],
'high_value_targets': ['WhatsApp Users (Targeted '
'Spyware Campaign)',
'Samsung MagicINFO Server '
'Operators']},
'investigation_status': 'Ongoing (Limited details on threat actors or full '
'scope of exploitation)',
'lessons_learned': ['Criticality of prompt patching for zero-day '
'vulnerabilities in closed-source libraries.',
'Need for cross-platform coordination (e.g., Samsung, '
'Meta, Apple) in addressing exploit chains.',
'Importance of user education on device updates and '
'factory resets during active threats.'],
'motivation': ['Espionage (Spyware Campaign)',
'Potential Data Theft',
'Unauthorized Access'],
'post_incident_analysis': {'corrective_actions': ['Samsung: Patch for '
'CVE-2025-21043 in SMR '
'Sep-2025 Release 1.',
'WhatsApp: Patches for '
'CVE-2025-55177 and user '
'advisories.',
'Apple: Patch for '
'CVE-2025-43300 (details '
'undisclosed).',
'Enhanced collaboration '
'between vendors to address '
'cross-platform exploit '
'chains.',
'Increased transparency in '
'disclosing zero-day '
'exploitation timelines.'],
'root_causes': ['Out-of-bounds write vulnerability '
'in closed-source library '
'(libimagecodec.quram.so).',
'Lack of input validation for '
'image parsing.',
'Exploit chaining across platforms '
'(WhatsApp + Apple zero-days).',
'Delayed patching of known '
'vulnerabilities (e.g., '
'CVE-2024-7399 in MagicINFO).']},
'recommendations': ['Users should immediately update Samsung Android devices '
'to SMR Sep-2025 Release 1 or later.',
'WhatsApp users on iOS/macOS should apply patches for '
'CVE-2025-55177 and CVE-2025-43300.',
'Organizations using Samsung MagicINFO 9 Server should '
'patch CVE-2024-7399 urgently.',
'Monitor for signs of spyware or unauthorized access, '
'especially if targeted by advanced threat actors.',
'Implement defense-in-depth strategies, including '
'behavioral monitoring for zero-click exploits.'],
'references': [{'source': 'BleepingComputer'},
{'source': 'Samsung Security Advisory (CVE-2025-21043)'},
{'source': 'WhatsApp Security Advisory (CVE-2025-55177)'},
{'source': 'Amnesty International Security Lab (Spyware '
'Campaign Analysis)'}],
'response': {'communication_strategy': ['Public Advisory by Samsung',
'User Notifications via WhatsApp'],
'containment_measures': ['Patch Release (SMR Sep-2025 Release 1)',
'WhatsApp Advisory to Reset Devices to '
'Factory Settings'],
'incident_response_plan_activated': True,
'recovery_measures': ['User Guidance on Device Updates',
'Factory Reset Recommendations'],
'remediation_measures': ['Software Updates for Samsung Android '
'Devices',
'WhatsApp/iOS/macOS Patches'],
'third_party_assistance': ['Meta/WhatsApp Security Teams '
'(Reporting)',
'Amnesty International Security Lab '
'(Analysis)']},
'stakeholder_advisories': ['Samsung Mobile Security Advisory',
'WhatsApp User Notifications'],
'title': 'Samsung Patches Zero-Day RCE Vulnerability (CVE-2025-21043) in '
'Android Devices',
'type': ['Vulnerability Exploitation',
'Zero-Day Attack',
'Remote Code Execution (RCE)'],
'vulnerability_exploited': ['CVE-2025-21043 (Out-of-bounds Write in '
'libimagecodec.quram.so)',
'CVE-2025-7399 (Unauthenticated RCE in Samsung '
'MagicINFO 9 Server)',
'CVE-2025-55177 (WhatsApp Zero-Click)',
'CVE-2025-43300 (Apple Zero-Day)']}