Samsung has patched a remote code execution vulnerability that was exploited in zero-day attacks targeting its Android devices.
Tracked as CVE-2025-21043, this critical security flaw affects Samsung devices running Android 13 or later and was reported by the security teams of Meta and WhatsApp on August 13.
As Samsung explains in a recently updated advisory, this vulnerability was discovered in libimagecodec.quram.so (a closed-source image parsing library developed by Quramsoft that implements support for various image formats) and is caused by an out-of-bounds write weakness that allows attackers to execute malicious code on vulnerable devices remotely.
“Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code,” Samsung says. “Samsung was notified that an exploit for this issue has existed in the wild.”
While the company didn’t specify whether the attacks targeted only WhatsApp users with Samsung Android devices, other instant messengers that utilize the vulnerable image parsing library could also be potentially targeted using CVE-2025-21043 exploits.
In late August, WhatsApp also patched a zero-click vulnerability (CVE-2025-55177) in its iOS and macOS messaging clients that was chained with an Apple zero-day flaw (CVE-2025-43300) in “extremely sophisticated” targeted zero-day attacks.
WhatsApp urged potentially impacted users at the time to keep their devices and software up to date and to reset their devices to factory settings.
Although Apple and WhatsApp haven’t released any details regarding the attacks chaining CVE-2025-55177 and CVE-2025-43300, Donncha Ó Cearbhaill (the head of Amnesty International’s Security Lab) said that WhatsApp has warned some users that their devices were targeted in an advanced spyware campaign.
Samsung and Meta spokespersons were not immediately available for comment when contacted by BleepingComputer earlier today.
Earlier this month, hackers also began deploying malware on devices left unpatched against an unauthenticated remote code execution (RCE) vulnerability (CVE-2024-7399) in the Samsung MagicINFO 9 Server, a centralized content management system (CMS) used by airports, retail chains, hospitals, enterprises, and restaurants.
