20 April 2026
KLCERT-25-012: Qualcomm chipset series. Write-what-where Condition vulnerability in BootROM
Vendor
Qualcomm
-
CVE
-
KLCERT
KLCERT-25-012
Description
A CWE-123: Write-what-where Condition vulnerability exists in Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 chipset series that could allow an attacker with physical access to the target system to bypass the secure boot chain and execute arbitrary code on the targeted system with maximum privileges.
CVSS v3.1
Exploitability
Physical access is required
Attack complexity
User interaction
Confidentiality
Availability
High
Integrity
High
Impact
Affected products
The following Qualcomm products:
- Qualcomm MDM9x07 (All versions)
- Qualcomm MDM9x45 (All versions)
- Qualcomm MDM9x65 (All versions)
- Qualcomm MSM8909 (All versions)
- Qualcomm MSM8916 (All versions)
- Qualcomm MSM8952 (All versions)
- Qualcomm SDX50 (All versions)
Mitigation
Kaspersky ICS CERT mitigation
- Monitor for anomalies in device behavior, like heating up when the device is not being used.
- Exercise strict physical security control over devices.
Kaspersky publishes information on newly identified vulnerabilities in order to raise user awareness of the IT security threats detected. Kaspersky does not make any guarantees in respect of information received from vendors of products in which vulnerabilities have been identified, which is included in the following sections of the advisory: Affected Products, Vendor Mitigation.
