Normal view

Breaking down the new Qualcomm chip vulnerability | Kaspersky official blog

Imagine handing your smartphone over for repair. A couple of days later, you pick it up — and great, it’s working again! But you won’t even realize that your device has been injected with malicious code, allowing attackers to access your smartphone even when it’s locked.

This is the beginning of the story shared by Kaspersky ICS CERT researchers, Alexander Kozlov and Sergey Anufrienko, at the Black Hat Asia 2026 conference. They managed to uncover a vulnerability that flips conventional assumptions about smartphone and IoT security on their head. Its core lies at the very heart of Qualcomm chips.

What is BootROM?

To grasp the severity of this discovery, we first need to look at how a modern device powered by a Qualcomm chip boots up. Think of it as a fortress with multiple layers of security. Each subsequent layer verifies the pass issued by the previous one. The bedrock foundation — the most trusted layer of them all — is the BootROM, a read-only memory baked directly into the silicon that can’t be modified once it comes off the fab.

The BootROM is the very first thing to run when a device powers on. It verifies the signature of the next bootloader, which in turn verifies the next, building a chain of trust all the way up to the operating system. If an attacker can compromise this chain at the BootROM level, it’s game over: the malicious code will execute before the main operating system even has a chance to load.

This is exactly what attackers can do by exploiting the CVE-2026-25262 vulnerability discovered by Kaspersky ICS CERT researchers.

Emergency Download Mode as an entry point

The research began with a protocol called Sahara. This is a component of Emergency Download Mode (EDL). Manufacturers and service centers use it to revive bricked devices: the phone is connected to a computer via USB, and a special utility program signed by the manufacturer (in this case, Qualcomm) is uploaded to it.

Sahara is implemented directly within the ARM PBL (Primary Boot Loader) — the BootROM itself. This means the protocol runs before any operating system boots, before any user access privileges are checked, and before any security controls are activated. The device simply waits for a USB connection, ready to accept data.

The communication scheme looks simple: the device sends a handshake (HELLO) to the computer, the computer selects the mode, a cycle begins to upload the utility program in chunks, and finally, the device executes the uploaded code. And it was within the verification logic of these very file chunks that the vulnerability was identified.

Write-what-where: the core of the vulnerability

In technical terms, the bug introduced by the developers is classified as CWE-123: Write-What-Where Condition. This is about as bad as it gets when it comes to flaws in low-level programming. An attacker can write arbitrary data to an arbitrary address in the device memory.

Without diving too deep into the technical weeds, suffice it to say that by exploiting the discovered vulnerability, attackers can gain access to any data on the device, including user-entered passwords, files, contacts, geolocation data, as well as the hardware sensors like the camera and microphone. In certain scenarios, complete control over the device is possible. Just a few minutes of physical access to the device via a cable connection, and the gadget has been compromised. This creates a risk if you hand your smartphone over to a repair shop, pass it to someone else to set up and install apps on, or just leave it unattended.

Which devices are affected

The CVE-2026-25262 vulnerability affects the following Qualcomm chip series: MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 — every single version released to date, until the vulnerability is patched by the manufacturer.

These are no obsolete museum pieces. The MDM9207, which we used for the bulk of our research, is integrated into modem modules for the internet of things (IoT), industrial equipment, smart home devices, healthcare monitoring systems, logistics trackers, and banking terminals. The MSM8916 powers many budget smartphones, while the SDX50 is used in automotive control units.

How vulnerable devices get attacked

The catch is that the attacker needs physical access to the device to pull this off. In the real world, this translates to:

  • Smartphone repairs at third-party repair shops, where the phone is left for several hours
  • Customs checkpoints in certain countries, where devices are withheld, inspected, and then returned
  • Lost and found scams, where your phone is stolen, tampered with, and then mysteriously found
  • Corporate espionage via an insider or a rogue employee

With just a few minutes of physical access to the device an attacker can plant a backdoor so deep inside that standard research tools won’t even detect it in most cases.

Why there’s no patch — and what to do

Qualcomm was notified of the discovery in March 2025 and confirmed the vulnerability in its chips. To identify it, the vendor reserved CVE-2026-25262, and on April 20, 2026, Kaspersky ICS CERT published technical information on the vulnerability and recommendations for users.

Qualcomm included this vulnerability in its May security bulletin. While fixing already-made devices is fundamentally impossible, the company promised to make all future chips without this vulnerability.

If you currently own a device with an affected chip, use our recommendations below to help mitigate the risk of infection.

  • Enforce strict physical control: don’t leave your devices unattended, especially when traveling or on business trips.
  • Choose only authorized service centers for repairs and maintenance.
  • Regularly update your firmware — this won’t patch the BootROM vulnerability, but it can eliminate many related vulnerabilities at higher levels.
  • Use a Kaspersky for Android on your device. This will safeguard your gadget from other threats that, combined with this vulnerability, could lead to unpredictable consequences.

If you notice that your gadget with a vulnerable Qualcomm chip starts acting up — overheating when idle, reporting unexpected spikes in network traffic, or exhibiting strange app behavior — you may have fallen victim to this vulnerability. You can wipe the malicious code and reset your device to its baseline state simply by completely cutting its power. This means either pulling the battery or letting it drain all the way to zero until the gadget shuts down entirely. In this case, the malicious code will most likely not persist on the device — during our research, we were unable to confirm that it could achieve persistence in non-volatile memory.

Want to learn more about severe vulnerabilities in Android phones? Check out these posts:

XBOX haalt analist Matthew Ball binnen om consolestrategie te leiden

21 May 2026 at 15:38
Microsoft heeft gaminganalist Matthew Ball aangesteld als nieuwe chief strategy officer van XBOX. Hij is volgens XBOX-baas Asha Sharma een 'ervaren gamer' en moet helpen het consolemerk te versterken. XBOX krijgt ook een nieuwe cto: Scott Van Vliet, die afkomstig is van Azure.

Nvidia haalt opnieuw recordomzet, 92 procent daarvan dankzij AI en datacenters

21 May 2026 at 14:57
Nvidia haalde vorig kwartaal opnieuw een omzetrecord. Dat maakt ceo Jensen Huang bekend bij de presentatie van de kwartaalcijfers. Het is grotendeels te danken aan de verkoop van AI-chips voor datacenters; videokaarten worden niet eens meer als losse omzetcategorie vermeld.

Attackers spill plaintext passwords of 46k Myspace93 users after 2021 breach

21 May 2026 at 14:20
Users of the Myspace93 parody web art site be warned: the dataset spilled after a reported breach in 2021 included the plaintext usernames and passwords of more than 46,000 registered users. The site's co-creator has blamed "trusted members" of a Windows93 Discord channel for the leakage. The figure of 46,000+ users is a recent estimate from HaveIBeenPwned (HIBP) - the web's go-to breach aggregator - which ingested the related data this week, more than five years after the January 2021 attack. In addition to the clear-as-day passwords and usernames, HIBP said email addresses and IP addresses were also among the exposed data. Myspace93 is an offshoot of the Windows93 project. They’re both websites that spoof the old social media network and operating system respectively, allowing users to experience them now that they’re long gone. Its co-creator, who only goes by the alias jankenpopp, or Janken, penned a note to the website’s users following the attack. Dated July 4, 2021, Janken explained that the breach came about after they shared a beta app with trusted members of the Windows93 Discord channel. According to Janken, those members betrayed the co-creator and used their access to the beta application to steal server files and gain access to an unencrypted credential store. “None of them alerted me immediately to what was going on,” Janken wrote. “On the contrary, they created a program to download our entire server, and it was only a week later that another honest user alerted me to the fact that these people were bragging about having the Myspace passwords. “They didn't want to tell me the truth, and it took me two days to get a confession from them: not only had they downloaded all the source files of Windows93 behind my back, but also the unencrypted file containing the passwords of more than 45k Myspace users. The group had also shared a download tool - along with instructions for using it - in their chat, and had posted numerous stolen files (unrelated to Myspace) across multiple platforms, said Janken. “I removed the .smash app from the server and called them to order. They whimpered and promised me on their honor to delete all the stuff and that things would not go any further. I believed them because at the time we were very close, we talked every day, and they regularly helped me to manage the community, to fix bugs, sometimes to code new features for Windows93 or to make the services more secure. I really trusted them back in the day and considered them part of my team. I blame myself for being so naive.” The MySpace93 website is still up and running for anyone who wants to revel in a little noughties internet nostalgia, but the ability to register an account and use the site as a social network is closed. Affected users should make sure they watch out for any reused passwords on other sites and switch on 2FA where they can. Janken said they had closed all the social network-related services across all the Windows93 offshoots as a result of the findings. ®

ASUS brengt zijn laptops zonder Windows en Linux niet uit in Nederland en België

21 May 2026 at 13:57
ASUS heeft geen plannen om zijn nieuwe initiatief voor laptops zonder besturingssysteem naar Nederland en België te brengen. De fabrikant verkoopt in Zweden, Denemarken, Noorwegen en Finland enkele van zijn laptops zonder Windows, Linux of welk ander besturingssysteem dan ook.

ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories

This week starts small. A token leaks. A bad package slips in. A login trick works. An old tool shows up again. At first, it feels like the usual mess. Then you see the pattern: attackers are not always breaking in. They are using the parts we already trust. That is what makes it worrying. The danger is in normal things now - updates, apps, cloud buttons, support chats, trusted accounts. AI

High-NA-machines van ASML maken in de komende maanden hun eerste echte chips

21 May 2026 at 13:48
ASML's high-NA-euv-machines zullen 'in de komende maanden' hun eerste producten belichten. Dat zei ASML-ceo Christophe Fouquet tijdens een conferentie. Dat is een grote mijlpaal: de machines deden al aan testproductie, maar werden nog niet gebruikt om 'echte' chips te maken.

Cisco serves up yet another perfect 10 bug with Secure Workload admin flaw

21 May 2026 at 13:27
Cisco has disclosed yet another perfect 10 vulnerability, this time warning that unauthenticated attackers could gain Site Admin privileges in its Secure Workload platform simply by sending crafted API requests to vulnerable systems. The bug, tracked as CVE-2026-20223, earned the full 10.0 CVSS treatment and affects Cisco Secure Workload Cluster Software in both SaaS and on-prem environments. According to Cisco's barebones advisory, the issue boils down to weak validation and authentication checks in internal REST API endpoints. In practical terms, that means attackers don't require credentials, user interaction, or any significant effort to exploit the bug. Cisco said a successful attack could allow remote attackers to "read sensitive information and make configuration changes across tenant boundaries with the privileges of the Site Admin user." Cross-tenant bugs tend to make cloud customers especially twitchy because they undermine one of the core assumptions of multi-tenant infrastructure: namely that somebody else's compromise is not supposed to become your problem. Cisco noted that the flaw affects internal REST APIs rather than the platform's web management interface, although that distinction is unlikely to bring much comfort to admins staring at a 10.0 severity score. The networking giant said there are currently no workarounds, and customers must install fixed releases to fully remediate the issue. Cisco Secure Workload 3.10 is fixed in version 3.10.8.3, while 4.0 is fixed in 4.0.3.17. Customers running version 3.9 or earlier are being told to migrate to a supported fixed release. Cisco added that its cloud-hosted SaaS deployments have already been patched and require no customer action. Cisco said it is not aware of active exploitation and that the flaw was discovered during internal security testing, though vulnerabilities carrying a 10.0 score and requiring no authentication rarely stay quiet for long. The bug lands less than a week after Cisco disclosed another maximum severity flaw affecting SD-WAN systems that could allow attackers to grant themselves administrator privileges, continuing what is becoming an increasingly awkward run of top-scoring Cisco security advisories. The company has spent much of the past year disclosing one 9.8-plus infrastructure flaw after another across products spanning firewalls, management platforms, identity systems, and enterprise networking gear. At this point, Cisco seems to be treating 10.0 CVSS scores as a recurring feature rather than a special occasion. ®

TikTok, YouTube, and Roblox face scrutiny, but age gates won’t fix child safety

21 May 2026 at 13:08

A damaging new report from Ofcom, the UK’s communications regulator, has delivered a stark verdict: TikTok and YouTube’s content feeds are “not safe enough” for children. This isn’t just another regulatory slap on the wrist. Ofcom is putting out a wake-up call for anyone working in cybersecurity, threat intelligence, and online safety.

In its own words:

“Notably, TikTok and YouTube failed to commit to any significant changes to reduce harmful content being served to children, maintaining their feeds are already safe for children.”

On the positive side, Snap, Meta, and Roblox agreed to adopt further safety measures to protect children from online grooming and “stranger danger.”

The BBC reports that an Ofcom survey found 84% of children aged 8 to 12 were still using at least one major service with a minimum age of 13. We reported earlier about how easy it was to fool some of the age verification methods. Researchers using under-13 accounts also reported encountering sexual content and offensive language shortly after entering specific Roblox games.

Speaking of Roblox, The Guardian reports that US advocacy groups have formally requested the Federal Trade Commission (FTC) investigate Roblox for what they call “unfair and deceptive” practices. The complaint focuses on:

  • In-game purchases pressuring children to spend money
  • Chat functionality exposing children to strangers
  • Features designed to maximize engagement, which critics argue may be addictive

Drew Benvie, CEO of Battenhall and founder of youth safety nonprofit Raise, noted:

 “Although Roblox is implementing new age-based safety measures, young players are adept at circumventing these protections.”

The cybersecurity point of view

What keeps cybersecurity researchers up at night is another angle to this problem. Many proposed age assurance solutions require users to hand over government IDs or biometric selfie data. We already talked about this in our blog, Age verification: Child protection or privacy risk?

Age verification systems create massive data collection opportunities that become prime targets for:

  • Data breaches exposing sensitive personally identifiable information (PII)
  • Identity theft facilitated by centralized ID databases
  • Biometric data theft, which cannot be changed like passwords
  • Malware and scams targeting users on less-secure platforms

When restrictions push young users toward smaller or less secure sites, they encounter:

  • No basic safety protections
  • Higher exposure to malware
  • Increased phishing and scam risks
  • Unmoderated harmful content

This is exactly what we see in threat intelligence: As defenders secure one vector, cybercriminals adapt and move elsewhere.

Safer systems beat stricter age gates

Protecting children should focus on building safer digital experiences overall. This is the only viable path forward because:

  • Stronger moderation actually removes harmful content rather than just blocking access
  • Safer recommendation systems prevent algorithmic amplification of harmful content
  • Better platform accountability means companies can’t prioritize engagement over safety
  • Avoiding invasive data collection prevents creating massive honeypots for attackers

As someone who analyzes malware and threats daily, I can tell you: security through obscurity (age gates) doesn’t work. Security through robust system design (moderation, safer algorithms, accountability) does.


Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

TikTok, YouTube, and Roblox face scrutiny, but age gates won’t fix child safety

21 May 2026 at 13:08

A damaging new report from Ofcom, the UK’s communications regulator, has delivered a stark verdict: TikTok and YouTube’s content feeds are “not safe enough” for children. This isn’t just another regulatory slap on the wrist. Ofcom is putting out a wake-up call for anyone working in cybersecurity, threat intelligence, and online safety.

In its own words:

“Notably, TikTok and YouTube failed to commit to any significant changes to reduce harmful content being served to children, maintaining their feeds are already safe for children.”

On the positive side, Snap, Meta, and Roblox agreed to adopt further safety measures to protect children from online grooming and “stranger danger.”

The BBC reports that an Ofcom survey found 84% of children aged 8 to 12 were still using at least one major service with a minimum age of 13. We reported earlier about how easy it was to fool some of the age verification methods. Researchers using under-13 accounts also reported encountering sexual content and offensive language shortly after entering specific Roblox games.

Speaking of Roblox, The Guardian reports that US advocacy groups have formally requested the Federal Trade Commission (FTC) investigate Roblox for what they call “unfair and deceptive” practices. The complaint focuses on:

  • In-game purchases pressuring children to spend money
  • Chat functionality exposing children to strangers
  • Features designed to maximize engagement, which critics argue may be addictive

Drew Benvie, CEO of Battenhall and founder of youth safety nonprofit Raise, noted:

 “Although Roblox is implementing new age-based safety measures, young players are adept at circumventing these protections.”

The cybersecurity point of view

What keeps cybersecurity researchers up at night is another angle to this problem. Many proposed age assurance solutions require users to hand over government IDs or biometric selfie data. We already talked about this in our blog, Age verification: Child protection or privacy risk?

Age verification systems create massive data collection opportunities that become prime targets for:

  • Data breaches exposing sensitive personally identifiable information (PII)
  • Identity theft facilitated by centralized ID databases
  • Biometric data theft, which cannot be changed like passwords
  • Malware and scams targeting users on less-secure platforms

When restrictions push young users toward smaller or less secure sites, they encounter:

  • No basic safety protections
  • Higher exposure to malware
  • Increased phishing and scam risks
  • Unmoderated harmful content

This is exactly what we see in threat intelligence: As defenders secure one vector, cybercriminals adapt and move elsewhere.

Safer systems beat stricter age gates

Protecting children should focus on building safer digital experiences overall. This is the only viable path forward because:

  • Stronger moderation actually removes harmful content rather than just blocking access
  • Safer recommendation systems prevent algorithmic amplification of harmful content
  • Better platform accountability means companies can’t prioritize engagement over safety
  • Avoiding invasive data collection prevents creating massive honeypots for attackers

As someone who analyzes malware and threats daily, I can tell you: security through obscurity (age gates) doesn’t work. Security through robust system design (moderation, safer algorithms, accountability) does.


Scammers don’t need to hack you. They just need you to click once. 

Malwarebytes Identity Theft Protection catches suspicious activity before it becomes a problem.

Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking

21 May 2026 at 12:58

CVE-2026-9082 can be exploited without authentication for information disclosure, privilege escalation, and remote code execution.

The post Drupal Patches Highly Critical Vulnerability Exposing Websites to Hacking appeared first on SecurityWeek.

❌