After being alerted to the vulnerability by WhatsApp and the security teams at Meta, Samsung has scurried to fix a critical zero-day vulnerability that was actively being used by hackers in targeting Android devices, and which was being utilized in advanced attacks targeting the users of the widely used messaging platform.
Critical distant code execution defect fixed
According to BleepingComputer, Samsung has fixed a remote code execution vulnerability that was used to attack its Android devices in zero-day attacks. Being coded CVE-2025-21043, the vulnerability represents a severe security issue that affects Samsung devices based on the Android 13 or later version and was disclosed by the security teams of both Meta and WhatsApp on August 13.
According to an advisory that was recently updated by Samsung, the vulnerability was found in libimagecodec.quram.so (a closed-source image parsing library introduced by Quramsoft to support a wide range of image formats) and is due to an out-of-bounds write vulnerability permitting attackers to remotely execute malicious code on vulnerable devices.
According to Samsung, it has an out-of-bounds write in libimagecodec.quram.so before the SMR Sep-2025 Release 1 that allows remote attackers to execute arbitrary code.ย They informed Samsung that the exploit of this issue has existed in the wild. Although Samsung did not mention whether the attacks targeted only users of WhatsApp running on Samsung Android, there are other potential attack targets, including other instant messengers that use the faulty image parsing library, that can be targeted with CVE-2025-21043 exploits.
An advanced attack campaign targets various platforms
A spokesperson at Meta said that part of our active research into a very focused exploit in the summer (which led to our security advisory on iOS/MacOS WhatsApp users) was to share our discovery with our colleagues in the industry, including Apple and Samsung.
Apple addressed the high-severity vulnerability (CVE-2025-43300) last month. SVE-2025-1702 is another patch that Samsung released, and they also published their security advisory this week. A chain of zero-click vulnerabilities in WhatsApp iOS and macOS messaging clients (CVE-2025-55177) and an Apple zero-day (CVE-2025-43300) vulnerability in highly advanced targeted zero-day attacks were also linked in September, and e.g., patched in late August, with the WhatsApp server being targeted.
WhatsApp advised the then possibly affected users to ensure that the devices and software are updated and reset their devices to factory settings. Even though Apple and WhatsApp have not provided any information about the attacks that involve CVE-2025-55177 and CVE-2025-43300, Donncha ร Cearbhaill (the leader of the Security Lab at Amnesty International) stated that WhatsApp has sent warnings to specific users that their devices were targeted in an advanced spyware attack.
Collaboration in security response is shown industry-wide
When contacted earlier today, Samsung and Meta spokespersons were not readily available to comment on the matter. In the first half of this month, hackers also started installing malware on the devices that were not patched against an unauthenticated remote code execution (RCE) exploit (CVE-2024-7399) in the Samsung MagicINFO 9 Server, which is a centralized content management system (CMS) deployed by airports, retail chains, hospitals, enterprises, and restaurants.
This zero-day vulnerability was found and fixed, which illustrates the current game of cat and mouse between the malicious and the security researchers. It is significant that the security team at WhatsApp found the exploit in the wild, and that the collaboration between the industry and proactive threat hunting is essential in identifying and preventing advanced persistent threats.
This attack is a grim reminder that even the most widely used messaging tools and the makers of devices are targets of advanced attackers. Users are advised to update their Samsung devices to the most recent security patch and keep their eyes open to unusual messages or suspicious device behaviors, as it might be a sign that the gadget has been compromised.