Samsung has fixed a critical flaw that was being used in attacks against its Android phones.
The vulnerability, tracked as CVE-2025-21043, was reported by Meta and WhatsApp’s security teams on 13 August. It affects Samsung devices running Android 13 and later.
The issue lies in libimagecodec.quram.so, a closed-source library built by Quramsoft. Its job is to process image files. The problem: an out-of-bounds write bug that lets attackers push malicious code onto vulnerable devices from a distance.
Samsung’s advisory does not clarify if the zero-day was used only against WhatsApp users. Other apps that rely on the same library could also be exposed.
This isn’t the first hit for messaging platforms in recent months. In August, WhatsApp patched another zero-day (CVE-2025-55177) affecting its iOS and macOS clients.
That bug was exploited in tandem with a separate Apple zero-day (CVE-2025-43300) in highly targeted attacks.
For now, the advice is clear: update.
Stay Vigilant
Nivedita Murthy, Senior Staff Consultant at Black Duck, says this recently identified vulnerability can be exploited to gain unauthorized access to a user’s device and its stored data.
“Both Samsung and WhatsApp have released patches to address this issue. Organizations should remain vigilant for new vulnerabilities to ensure application security without compromise. Users should ensure their devices and installed software are updated to the latest versions. Keeping devices up to date is a fundamental aspect of basic security hygiene; users should follow system notifications to stay current.”
Challenging to Verify the Software Version
Randolph Barr, Chief Information Security Officer at Cequence Security says he purchased an Android device to better familiarize himself with it, and while Ihe can see why users enjoy the platform, he found it a bit challenging to verify the software version and whether the September 2025 Release 1 patch was installed.
“For users, the path is: Settings → About phone → Software information → scroll down to “Android security patch level.” If it shows 1 September 2025, or later, then the fix for CVE-2025-21043 is in place.
“The timeliness of this also connects with a recent conversation I had with a security leader who, like many others, asked for input on how to better control devices connecting to their corporate environment that are not managed by IT. This leader already had experience with Mobile Device Management (MDM) solutions and understood the technical side, but their challenge was winning over users and executives to fully embrace these controls.”
From a security perspective, Barr says it’s important to ensure that mobile devices have basic protections — not just for the company, but also for the users themselves. “At a minimum, this means ensuring a screen lock is enabled, updates are applied in a timely manner, and that devices are not rooted (Android) or jailbroken (iOS). The real challenge is perception: users often see MDM as invasive, and executives sometimes see it as an unnecessary cost or a productivity hindrance.”
Reframe MDM as a Protective Measure
The way forward is communication, Barr adds. “Security leaders need to reframe MDM as a protective measure that benefits everyone. For employees, that means emphasizing that MDM helps safeguard their personal data as much as company data, and clarifying that it does not equate to “spying.” For executives, the message should be tied to business risk and accountability, unmanaged devices increase the likelihood of breaches, regulatory fines, and reputational harm.”
During Barr’s recent conversation with the security leader, they discussed strategies such as:
- Storytelling with real examples of what happens when a phone is lost or compromised.
- Sharing metrics on device logins, patch compliance, and unmanaged device access to corporate apps.
- Addressing misconceptions such as the fear that MDM will wipe personal photos or track everything a user does.
- Executive sponsorship by aligning MDM with compliance obligations, customer trust, and resilience goals.
Verification is Key
Outside of MDM, he says organizations using Entra ID or other SSO tools can often see logins by device and reach out to users directly to confirm updates. “While Android devices often update automatically, verification is key, especially in light of critical vulnerabilities like CVE-2025-21043.”
In the end, Barr says this issue reinforces the importance of strong mobile device governance. “Security teams must move beyond the debate of personal vs. corporate control and focus on the reality: unmanaged devices are an organizational risk. The person accountable for security will be the one questioned after an incident. To avoid that, leaders must socialize the need for MDM, provide clear evidence for why it matters, and tackle misconceptions head-on. It’s about protection, not control, ensuring the safety of both the organization and its people.”
Attackers Are Shifting
Brian Thornton, Senior Sales Engineer at Zimperium, says zero-day exploits targeting popular apps and OEM libraries show just how fast attackers are shifting to mobile as their way in.
“In this case, a closed-source image library created a broad risk across Samsung devices and the apps that depend on it. Security teams should make sure employees update their Samsung devices right away and tighten up mobile defense plans. Traditional endpoint tools can’t see these kinds of mobile exploits—dedicated mobile security is key to detecting and defending zero-days in real time.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.