More
- Awards
- Blogs
- BrandPosts
- Events
- Podcasts
- Videos
- Enterprise Buyer’s Guides
news
CobaltStrike’s AI-native successor, ‘Villager,’ makes hacking too easy
Sep 16, 2025 4 mins
news
Stealthy AsyncRAT flees the disk for a fileless infection
Sep 12, 2025 3 mins
news
Docker malware breaks in through exposed APIs, then changes the locks
Sep 11, 2025 3 mins
news
Cursor’s autorun lets hackers execute arbitrary code
Sep 10, 2025 4 mins
news
Smart GPUGate malware exploits GitHub and Google Ads for evasive targeting
Sep 9, 2025 4 mins
news
Phishing kit Salty2FA washes away confidence in MFA
Sep 9, 2025 3 mins
news
When AI nukes your database: The dark side of vibe coding
Sep 9, 2025 7 mins
news
GhostAction campaign steals 3325 secrets in GitHub supply chain attack
Sep 8, 2025 3 mins
The widely used image-parsing library suffers from a flaw that can allow remote code execution via crafted images in Android devices, putting connected corporate workflows at risk.
Credit: StreetOnCamara_Comeback / Shutterstock
Samsung has disclosed a serious vulnerability affecting a core utility within its Android devices, one that has already been exploited in zero-day attacks.
The flaw resides in a closed-source image-parsing library “libimagecodec,quram.so” supplied by Quramsoft, and allows remote attackers to execute arbitrary code via specially crafted image files.
“Zero-day exploits targeting popular apps and OEM libraries show just how fast attackers are shifting to mobile as their way in,” said Brian Thornton, Senior Sales Engineer at Zimperium. “Security teams should make sure employees update their Samsung devices right away and tighten up mobile defense plans.”
While Samsung has not said how the bug might impact KNOX-protected enterprise environments, it is safe to assume risk as an RCE exploit can generally bypass user protections, undermine device management controls, or create a foothold for broader compromise in mixed personal-and-work fleets.
With all Android 13 through 16 devices impacted by the now-fixed vulnerability, many corporate fleets may still be vulnerable. The affected library is used widely across Samsung devices wherever image handling occurs, including system apps (Gallery, Camera), messaging apps, and third-party apps that rely on Samsung’s image APIs.
The bug behind the pixels
Tracked as CVE-2025-21043, the flaw is an out-of-bounds write issue in libimagecodec.quram.co, a Samsung-specific image parsing library. An attacker can trigger the bug with a specially crafted image file, leading to remote code execution (RCE).
Samsung confirmed the critical bug (CVSS 8.8 out of 10) was being exploited when Meta/WhatsApp reported it privately in August. While attack specifics remain undisclosed, messaging apps are an obvious vector since they routinely process incoming images. Security experts stress that the exploit can run silently, requiring little or no action from the victim–a classic zero-click threat.
“This issue reinforces the importance of strong mobile device governance,” said Randolph Barr, chief information security officer at Cequence Security. “Security teams must move beyond the debate of personal vs corporate control and focus on the reality: unmanaged devices are an organizational risk.”
As the person accountable for security will be the one questioned after an incident, leaders must socialize the need for mobile device management (MDM), provide clear evidence for why it matters, and tackle misconceptions head-on, Barr added.
Patch now or risk a backdoor
A September 2025 Release 1 patch addresses the flaw that affects devices running Android versions 13 through 16. “Out-of-bounds Write in libimagecodec.quram.so prior to SMR Sep-2025 Release 1 allows remote attackers to execute arbitrary code,” Samsung said in the disclosure.
For enterprises, CVE-2025-21043 is more than a personal device issue–it represents a potential backdoor into corporate networks. Exploitation could allow attackers to access sensitive business apps, email accounts, and even corporate data stored on the device.
Devices with incomplete patching in bring-your-own-device (BYOD) or mixed-managed environments may inadvertently act as bridges into critical enterprise systems. Barr noted that tracking patch compliance can be challenging in BYOD setups, where users may resist MDM controls or updates. “Outside of MDM, organizations using Entra ID or other SSO tools can often see logins by device and reach out to users directly to confirm updates.” While updates are often automatic on Android devices, verification is still key, he added.
SUBSCRIBE TO OUR NEWSLETTER
From our editors straight to your inbox
Get started by entering your email address below.
Shweta has been writing about enterprise technology since 2017, most recently reporting on cybersecurity for CSO online. She breaks down complex topics from ransomware to zero trust architecture for both experts and everyday readers. She has a postgraduate diploma in journalism from the Asian College of Journalism, and enjoys reading fiction, watching movies, and experimenting with new recipes when she’s not busy decoding cyber threats.
More from this author
`,
cio: `
🚀 The new CIO.com hybrid search: 🔍 Explore CIO content smarter, faster and AI powered. ✨
`,
nww: `
🚀 The new NetworkWorld.com hybrid search: 🔍 Explore NetworkWorld content smarter, faster and AI powered. ✨
`,
cw: `
🚀 The new Computerworld.com hybrid search: 🔍 Explore Computerworld content smarter, faster and AI powered. ✨
`,
cso: `
🚀 The new CSOonline.com hybrid search: 🔍 Explore CSO content smarter, faster and AI powered. ✨
`
};
const sharedStyles = `
`;
const publisher = foundry_get_publisher();
const htmlContent = contentSwitch[publisher];
if (!htmlContent || !document.body) return;
document.body.insertAdjacentHTML(“afterbegin”, htmlContent + sharedStyles);
const bar = document.querySelector(“.section-block–announcementbar”);
if (bar) {
requestAnimationFrame(() => {
bar.classList.add(“section-block–announcementbar–visible”);
});
}
const btn = document.querySelector(“.section-block–announcementbar .reset-button”);
const searchIcon = document.querySelector(‘.header__icon-button[data-menu-trigger=”search”] svg’);
const searchTrigger = document.querySelector(‘[data-menu-trigger=”search”]’);
if (searchIcon) {
searchIcon.innerHTML = ‘
‘;
}
if (btn && searchTrigger) {
btn.addEventListener(“click”, () => searchTrigger.click());
}
console.log(“[MISO SCRIPT] Conditions met, initializing Miso search announcements.”);
};
initMisoSearchAnnouncements();
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentYouTube = consentManager.checkConsentByVendors([
‘YouTube’,
‘YT’
]);
if (hasConsentYouTube.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[YOUTUBE SCRIPT] Consent not given for YouTube.’);
} else {
console.log(‘[YOUTUBE SCRIPT] Consent given for YouTube. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGAM = consentManager.checkConsentByVendors([
‘Google Ad Manager’,
‘GAM’
]);
if (hasConsentGAM.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GAM SCRIPT] Consent not given for GAM.’);
} else {
console.log(‘[GAM SCRIPT] Consent given for GAM. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentGoogleFonts = consentManager.checkConsentByVendors([
‘Google Fonts’,
‘Google Web Fonts’
]);
if (hasConsentGoogleFonts.some(vendor => vendor[‘Has Consent’] === false)) {
console.log(‘[GOOGLE FONTS SCRIPT] Consent not given for Google Fonts.’);
} else {
console.log(‘[GOOGLE FONTS SCRIPT] Consent given for Google Fonts. Loading script…’);
}
});
document.addEventListener(‘consentManagerReady’, () => {
const hasConsentAdobeTypekit = consentManager.checkConsentByVendors([
‘Adobe Typekit’
]);
if (hasConsentAdobeTypekit.every(vendor => vendor[‘Has Consent’] === true)) {
if (foundry_is_edition(‘kr’)) {
const link = document.createElement(‘link’);
link.rel = ‘stylesheet’;
link.href = ‘https://use.typekit.net/ysx4dcu.css’;
document.head.appendChild(link);
}
}
});
document.addEventListener(‘consentManagerReady’, () => {
const vendors = [‘Subscribers’];
const hasConsentSubscribers = consentManager.checkConsentByVendors(vendors);
if (hasConsentSubscribers.some(vendor => vendor[‘Has Consent’] === false)) {
return;
} else {
if (foundry_is_language(‘en’)) {
console.log(‘Language is English’);
// subscribers english ..
}
if (foundry_is_edition(‘kr’)) {
console.log(‘Edition is Korean’);
// subscribers in korean ..
}
if (foundry_is_edition(‘ja’)) {
console.log(‘Edition is Japanese’);
// subscribers in japanese ..
}
}
});
