Samsung has disclosed a serious vulnerability affecting a core utility within its Android devices, one that has already been exploited in zero-day attacks.
The flaw resides in a closed-source image-parsing library “libimagecodec,quram.so” supplied by Quramsoft, and allows remote attackers to execute arbitrary code via specially crafted image files.
“Zero-day exploits targeting popular apps and OEM libraries show just how fast attackers are shifting to mobile as their way in,” said Brian Thornton, Senior Sales Engineer at Zimperium. “Security teams should make sure employees update their Samsung devices right away and tighten up mobile defense plans.”
While Samsung has not said how the bug might impact KNOX-protected enterprise environments, it is safe to assume risk as an RCE exploit can generally bypass user protections, undermine device management controls, or create a foothold for broader compromise in mixed personal-and-work fleets.
With all Android 13 through 16 devices impacted by the now-fixed vulnerability, many corporate fleets may still be vulnerable. The affected library is used widely across Samsung devices wherever image handling occurs, including system apps (Gallery, Camera), messaging apps, and third-party apps that rely on Samsung’s image APIs.
The bug behind the pixels
Tracked as CVE-2025-21043, the flaw is an out-of-bounds write issue in libimagecodec.quram.co, a Samsung-specific image parsing library. An attacker can trigger the bug with a specially crafted image file, leading to remote code execution (RCE).
Samsung confirmed the critical bug (CVSS 8.8 out of 10) was being exploited when Meta/WhatsApp reported it privately in August. While attack specifics remain undisclosed, messaging apps are an obvious vector since they routinely process incoming images. Security experts stress that the exploit can run silently, requiring little or no action from the victim–a classic zero-click threat.
“This issue reinforces the importance of strong mobile device governance,” said Randolph Barr, chief information security officer at Cequence Security. “Security teams must move beyond the debate of personal vs corporate control and focus on the reality: unmanaged devices are an organizational risk.”
As the person accountable for security will be the one questioned after an incident, leaders must socialize the need for mobile device management (MDM), provide clear evidence for why it matters, and tackle misconceptions head-on, Barr added.
Patch now or risk a backdoor
A September 2025 Release 1 patch addresses the flaw that affects devices running Android versions 13 through 16. “Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in the disclosure.
For enterprises, CVE-2025-21043 is more than a personal device issue–it represents a potential backdoor into corporate networks. Exploitation could allow attackers to access sensitive business apps, email accounts, and even corporate data stored on the device.
Devices with incomplete patching in bring-your-own-device (BYOD) or mixed-managed environments may inadvertently act as bridges into critical enterprise systems. Barr noted that tracking patch compliance can be challenging in BYOD setups, where users may resist MDM controls or updates. “Outside of MDM, organizations using Entra ID or other SSO tools can often see logins by device and reach out to users directly to confirm updates.” While updates are often automatic on Android devices, verification is still key, he added.
No Responses