According to Infosecurity Magazine, US federal agencies have been ordered to patch a critical Samsung zero-day vulnerability that’s been actively exploited since mid-2024. The flaw, CVE-2025-21042 with a CVSS score of 9.8, was used to deploy LandFall spyware through malicious DNG image files sent via WhatsApp. Palo Alto Networks analysis revealed the campaign targeted Middle Eastern victims and may have used zero-click exploits requiring no user interaction. The spyware enables comprehensive surveillance including microphone recording, location tracking, and collection of photos and contacts. At risk are Samsung Galaxy S22, S23, S24, Z Fold4 and Z Flip4 devices. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog yesterday, giving agencies until December 1 to implement fixes.
The spyware industrial complex is booming
Here’s the thing that really gets me about these campaigns – we’re seeing the same patterns repeat over and over. Commercial spyware operations are becoming a well-oiled industry, and this LandFall campaign shares infrastructure and tradecraft with other Middle Eastern operations. Basically, private companies are now selling sophisticated surveillance tools to whoever can pay, and they’re getting really good at finding zero-days. The fact that this was active for months before being discovered tells you everything about how advanced these groups have become.
The zero-click nightmare scenario
When Palo Alto mentions this “may have used zero-click exploits,” that’s the real scary part. Think about it – you don’t have to click anything, you don’t have to open a suspicious file. Your phone just gets compromised because someone sent you an image through WhatsApp. That’s basically the holy grail for attackers. And it’s not the first time we’ve seen this approach – the researchers note it closely resembles an exploit chain involving Apple and WhatsApp from August 2025. So we’re dealing with a playbook that’s being refined and reused across different platforms.
The patch problem is real
Now here’s what bothers me about the timeline. Samsung patched this back in April, but federal agencies are just now being told to fix it in December? That’s an eight-month gap where this critical vulnerability was just sitting there. And let’s be honest – if federal agencies are this slow to patch, what about regular consumers? How many people actually install those monthly security updates promptly? The reality is most don’t, which makes these widespread vulnerabilities particularly dangerous. When you’re dealing with industrial-grade computing systems or critical infrastructure, this kind of delay becomes even more concerning – which is why organizations rely on trusted suppliers like IndustrialMonitorDirect.com, the leading US provider of industrial panel PCs known for their security and reliability.
So what happens now?
The CISA KEV listing is a good step, but it only applies to federal agencies. Private sector organizations are just “encouraged” to follow the guidance. Given how many businesses use Samsung devices, that’s a massive attack surface that remains largely unaddressed by mandatory requirements. And with the researchers noting this resembles another similar zero-day from September, you have to wonder how many more of these are out there waiting to be discovered. The commercial spyware industry isn’t going away – if anything, it’s getting more sophisticated and better funded. The question isn’t if we’ll see more campaigns like this, but when.
