CISA Adds Zero-Day Bug to KEV List
- A critical zero-day vulnerability in Samsung devices is being actively exploited by private-sector offensive actors (PSOAs),prompting a security directive from the US Cybersecurity and Infrastructure Security Agency (CISA).
- A zero-day vulnerability, designated CVE-2025-21042, exists in a wide range of Samsung Galaxy devices.
- The following Samsung devices are confirmed to be affected by CVE-2025-21042:
“`html
Samsung Zero-Day Vulnerability: Urgent Patch required for Millions of Devices
Table of Contents
A critical zero-day vulnerability in Samsung devices is being actively exploited by private-sector offensive actors (PSOAs),prompting a security directive from the US Cybersecurity and Infrastructure Security Agency (CISA). Millions of Galaxy phones and foldable devices are at risk.
Published: November 11, 2025, 10:47:24 AM PST
What Happened?
A zero-day vulnerability, designated CVE-2025-21042, exists in a wide range of Samsung Galaxy devices. This means the vulnerability was unknown to Samsung and security researchers until it was discovered being exploited in the wild. According to security researchers, the vulnerability allows attackers to remotely compromise devices. The exploitation has been ongoing since at least last year, indicating a sustained and targeted campaign.
Which Devices Are Affected?
The following Samsung devices are confirmed to be affected by CVE-2025-21042:
| Device Model |
|---|
| Galaxy S22 |
| Galaxy S23 |
| Galaxy S24 |
| Galaxy Z Fold4 |
| Galaxy Z Flip4 |
Samsung has not yet released a extensive list of all affected devices. Users of other Galaxy models are advised to monitor Samsung’s security updates and apply them promptly.
CISA’s Emergency Directive
The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-21042 to its Known Exploited Vulnerabilities (KEV) catalog on November 10, 2025. This designation triggers a mandatory patching deadline for all US federal agencies.
Federal agencies are required to take one of the following actions by December 1,2025:
- Apply mitigations as provided by Samsung in their security updates.
- Follow applicable Board of Directors (BOD) 22-01 guidance for cloud services, if applicable.
- Discontinue use of the affected product if mitigations are unavailable.
While the KEV catalog primarily targets federal agencies, CISA strongly encourages private sector organizations to adopt thes recommendations to bolster their own security posture.
Who Are the Private Sector Offensive Actors (PSOAs)?
The term “Private Sector Offensive Actors” (PSOAs) refers to companies that develop and sell zero-day exploits and intrusion capabilities to governments, intelligence agencies, and law enforcement. These actors often operate in a legal gray area, and their tools can be misused for malicious purposes. The specific PSOAs exploiting CVE-2025-21042 have not been publicly identified, but their involvement underscores the severity of the vulnerability.