In partnership with
This week’s standout threat is a previously unseen spyware campaign — named LANDFALL — that exploited a zero‑day on flagship Android devices and remains relevant for enterprises with mobile exposure. We also got fresh entries into Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog, underscoring the urgency to patch rapidly.
🚨 Top Stories
Android spyware “LANDFALL” targets Samsung Galaxy devices
Researchers from Unit 42 (Palo Alto Networks) discovered a commercial‑grade spyware campaign leveraging a zero‑day tracked as CVE‑2025‑21042 (CVSS 8.8) in the Samsung image‑processing library. Unit 42 The campaign, dubbed LANDFALL, delivered malicious DNG image files (via messaging apps) and enabled full surveillance (microphone, location, files) on Galaxy S22/S23/S24 and Z Fold/Flip 4 devices. The Hacker News
💡 Key Takeaway: Mobile device fleets—especially Samsung Galaxy series in higher‑risk regions—should verify firmware is updated and consider enhanced mobile‑threat detection given the demonstrated zero‑click (or near zero‑click) vector.
2. CISA adds two new vulnerabilities to its KEV catalog (Nov 4 2025)
On 4 November, CISA announced two vulnerabilities added to its KEV list for confirmed active exploitation: CVE‑2025‑11371 and CVE‑2025‑48703. CISA The risk mandate: federal agencies must patch or mitigate, and private‑sector organizations should treat these flaws as de‑facto live threats.
💡 Key Takeaway: These additions highlight that the KEV list continues to grow rapidly—organizations must incorporate KEV‑catalog monitoring into their vulnerability‑management cycles and treat those entries as highest‑priority.
Urgent patching spotlight: WSUS zero‑day exploitation (CVE‑2025‑59287)
An unauthenticated remote code execution flaw in Windows Server Update Services (tracked as CVE‑2025‑59287) has been exploited in the wild, prompting Microsoft to issue an emergency out‑of‑band patch and CISA to issue a federal directive. TechRadar
💡 Key Takeaway: Internal‑facing infrastructure still poses critical risk when exposed—standard patch management isn’t enough; organizations must actively hunt for these flaws, isolate exposed services, and apply compensating controls where full patching isn’t yet possible.
🛠️ Vulnerability Spotlight
1. CVE‑2025‑21042 (Samsung Galaxy image‑processing zero‑day)
As detailed above in the LANDFALL story, this out‑of‑bounds write in Samsung’s image codec library was exploited for targeted spyware deployment. SecurityWeek
💡 Key Takeaway: Even mobile infrastructure (especially consumer‑grade flagship devices in enterprise use) can be targeted with high sophistication; patching and mobile threat detection need to include these scenarios.
2. CVE‑2025‑59287 (WSUS deserialization RCE)
A critical deserialization of untrusted data vulnerability in Microsoft WSUS, rated CVSS 9.8, has been exploited and added to mandatory patch‑lists. TechRadar
💡 Key Takeaway: Classic infrastructure components still get exploited; any exposed internal patch/distribution system is a prime foothold for lateral movement—segmentation, monitoring and rapid patching are non‑negotiable.
3. CVE‑2025‑41244 (VMware Tools/Aria Ops local privilege escalation)
Though slightly older, this flaw was recently flagged by CISA for active exploitation by a Chinese‑state‑linked actor (UNC5174) and added to the KEV list. TechRadar
💡 Key Takeaway: Virtual platform and hypervisor‑adjacent components remain key targets—defenders should inventory VM tools, track patches, and consider compensating controls if remediation lags.
📈 Trend to Watch
Mobile + Zero‑Click Exploitation in Enterprise Contexts
The LANDFALL campaign reinforces a growing trend: spyware exploiting zero‑click vectors in mobile devices (e.g., via malformed image files) is no longer confined to consumer targets—it’s bleeding into enterprise threat modelling. Organizations that allow BYOD, unmanaged Galaxy devices, or messaging‑based file transfers must review their mobile‑risk exposure. Older heuristics (phishing via email) remain valid, but the new frontier is trusted app files (images, documents) as initial exploit vectors without user‑interaction.
🧰 Tool / Resource of the Week
Able Threat Hunter (Open‑Source Red‑Team & Hunting Stealth Platform)
This open‑source tool (released by security‑community collaboratively) provides automated hunts for known exploit‑paths such as deserialization, DNG image parsing, and telemetry filters for mobile‑device compromises. While this tool has not appeared in our newsletter recently, it offers immediate value for SOC teams looking to augment enterprise visibility across mobile and WSUS/patch‑distribution assets.
⚡ Quick Hits
The LANDFALL campaign was active in the Middle East (Iraq, Iran, Turkey, Morocco) targeting Galaxy devices. The Hacker News
Rapid exploitation of WSUS vulnerability (CVE‑2025‑59287) targeted publicly‑facing servers exposed through default ports (8530/8531). TechRadar
CISA’s KEV list continues expanding; recent additions include CVE‑2025‑11371 and CVE‑2025‑48703 (Nov 4 2025). CISA
The VMware Tools flaw (CVE‑2025‑41244) is leveraged by state‑affiliated actors for privilege escalation inside VM hosts. TechRadar
Organizations must treat KEV‑catalog vulnerabilities as top tier—not “just advisory” but “active‑use” risks—especially for federal and critical‑infrastructure sectors. CISA
🛡️ Actionable Defense Move of the Week
Conduct a “mobile‑image‑file” exploit vector audit and patch‑status sweep for key endpoints:
Inventory all Samsung Galaxy (and other Android brands) devices used in your environment; verify firmware encompasses the April 2025 patch for CVE‑2025‑21042 (or later).
Deploy or update mobile EDR/MDM agents capable of detecting malicious DNG (Digital Negative) image parsing and embedded archives.
Review messaging‑based file‑transfer policies (WhatsApp, Telegram, Slack)—restrict or inspect image files from external/untrusted senders.
Parallel: perform an internal asset hunt for WSUS servers accessible externally or over default ports and verify patches for CVE‑2025‑59287 are applied; if not possible, isolate or disable external access until patched.
🏁 Final Word
The pace of threat evolution reminds us: zero‑day exploitation is not the exception—it is increasingly the rule. This week’s high‑impact stories span from mobile spyware to internal infrastructure compromise. If you walk away with one message: mobile devices and patch‑distribution infrastructure must receive as much defensive focus as your perimeter firewalls or endpoint agents.
Stay vigilant.
Realtime User Onboarding, Zero Engineering
Quarterzip delivers realtime, AI-led onboarding for every user with zero engineering effort.
✨ Dynamic Voice guides users in the moment
✨ Picture-in-Picture stay visible across your site and others
✨ Guardrails keep things accurate with smooth handoffs if needed
No code. No engineering. Just onboarding that adapts as you grow.