What Kaspersky Discovered Inside Qualcomm Chips
Kaspersky ICS CERT researchers have uncovered a critical Qualcomm chip vulnerability, tracked as CVE-2026-25262, that turns long‑standing smartphone security assumptions upside down. The flaw lives in the BootROM, the very first code that runs when a Qualcomm‑powered device starts. BootROM is etched into the silicon and is read‑only, forming the root of the secure boot chain that should protect phones, cars, and IoT devices from low‑level compromise. By abusing this Qualcomm chip vulnerability, attackers can inject code that runs before the operating system, bypassing conventional security controls entirely. Because the vulnerability is tied to the chip architecture itself, it is considered an unpatchable security flaw for devices already manufactured. Qualcomm has acknowledged the issue and reserved a CVE identifier, committing only to fix it in future chips, which leaves millions of existing devices exposed for their entire service life.
How Emergency Download Mode Becomes an Attack Door
The vulnerability is exploited via Emergency Download Mode (EDL), a low‑level recovery feature meant to unbrick devices. EDL uses a protocol called Sahara that is implemented directly inside the ARM Primary Boot Loader—the BootROM itself. When a device enters EDL, it waits quietly for a USB connection and then accepts a specially signed utility from a connected computer. Kaspersky’s research found a flaw in how the device verifies file chunks during this process, creating a classic write‑what‑where condition. In practice, that means an attacker with brief physical access can write arbitrary data to arbitrary memory locations, hijacking execution before the operating system boots. This turns a legitimate maintenance feature into a powerful smartphone security threat. Because security layers higher up the stack are not yet active in EDL, usual defenses like screen locks, encryption prompts, and mobile security apps cannot block this mobile device vulnerability at the moment of exploitation.
Which Devices Are Affected and What Attackers Can Do
CVE-2026-25262 impacts several Qualcomm chip families: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50. These are widely deployed in budget smartphones, IoT modem modules, smart home gear, industrial systems, healthcare monitors, logistics trackers, banking terminals, and even automotive control units. Once the unpatchable security flaw is exploited, attackers can potentially access any data processed by the device, including passwords, files, contacts, geolocation data, and feeds from hardware sensors like the camera and microphone. In some scenarios, they may gain complete control over the device. The main limitation is that the attacker must physically connect via cable for a few minutes, but that can happen during third‑party repairs, at inspection checkpoints, through lost‑and‑found scams, or via insiders in corporate environments. After compromise, the backdoor can be so deeply embedded that ordinary tools may never detect it.
Why This Qualcomm Bug Cannot Be Patched
Unlike typical software flaws fixed by updates, this Qualcomm chip vulnerability resides in BootROM, which is literally baked into the silicon. BootROM cannot be modified after manufacturing, so no firmware or operating system update can remove the bug from affected devices. Qualcomm has listed the issue in its security bulletin and plans to ship future chip generations without the flaw, but existing smartphones, cars, and IoT devices will carry this risk permanently. That does not mean every device is doomed, but it does change the security model: physical access now equates to the power to circumvent the secure boot chain. Organizations and individuals must treat devices with these chips as inherently more sensitive to hands‑on attacks. The only definitive “fix” for already‑affected hardware is full replacement with models using revised silicon once they become available on the market.
Practical Mitigation Strategies for Users and Organizations
Even though the flaw is unpatchable, its dependence on physical access gives users meaningful defensive options. First, enforce strict physical control: avoid leaving devices unattended, especially during travel or business trips, and be wary of situations where others might gain cable access for several minutes. Second, use only authorized, trusted service centers; the repair bench is a realistic point where a covert implant could be installed. Third, keep firmware and operating systems fully updated—these updates cannot fix BootROM, but they can close other weaknesses that might be chained with this one. Mobile security tools, such as reputable Android protection suites, add another layer against post‑exploitation activity. Finally, watch for red flags like unexplained overheating, abnormal network traffic, or strange app behavior. If compromise is suspected, fully cutting power—by removing the battery or letting it drain to zero—can often wipe the injected code, since persistence in non‑volatile memory was not confirmed in research.