Cybersecurity researchers at Kaspersky have uncovered a serious hardware-level vulnerability in Qualcomm Snapdragon chipsets that could potentially lead to data loss and full device compromise. Notably, these chipsets power a wide range of devices, including smartphones, tablets, automotive systems, and IoT devices. The findings were officially presented at Black Hat Asia 2026, highlighting the growing concerns around embedded hardware security.
According to the researchers, the vulnerability exists within the BootROM, a critical firmware component embedded directly into hardware. Because of its low-level nature, attackers can exploit this flaw to gain deep access to affected devices. Consequently, they may retrieve sensitive data, monitor device sensors such as cameras and microphones, and even take complete control of the system in certain cases.
The vulnerability specifically impacts multiple Qualcomm chipsets, including MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 series. Kaspersky reported the issue to Qualcomm in March 2025, and the company acknowledged it a month later in April 2025. It has now been officially assigned CVE-2026-25262. Furthermore, experts suggest that additional Qualcomm-based chips may also be at risk.
To better understand the flaw, Kaspersky researchers analyzed the Sahara protocol, a low-level communication mechanism activated when devices enter Emergency Download Mode (EDL). This mode is typically used for recovery and repair purposes. However, researchers demonstrated that attackers could exploit weaknesses in this process. As a result, with minimal physical access, they could bypass built-in security protections, compromise the secure boot chain, and deploy malicious software or backdoors.
Moreover, in practical scenarios, attackers could extract user credentials such as passwords and gain access to sensitive data, including files, contacts, and location details. They could also remotely activate cameras and microphones, raising serious privacy concerns. Alarmingly, the researchers emphasized that attackers need only a few minutes of physical access to execute such attacks. Therefore, devices left unattended or sent for repair could be particularly vulnerable.
In addition, the threat extends beyond individual users. Researchers warned that devices could also be compromised during supply chain stages, making this vulnerability a broader cybersecurity risk.
“Vulnerabilities like this may allow attackers to deploy malware that is difficult to detect and remove. In practice, this could enable covert data collection or influence device behavior over extended periods of time. While a reboot might seem like an effective way to remove such malware, it cannot always be relied upon: compromised systems may simulate a reboot without actually resetting. In such cases, only a complete loss of power – including battery depletion – guarantees a clean restart,” comments Sergey Anufrienko, security expert at Kaspersky ICS CERT.
To mitigate risks, Kaspersky strongly recommends maintaining strict physical control over devices throughout their lifecycle, including supply, maintenance, and disposal stages. Additionally, users may attempt a full power reset or battery discharge to remove potential malware infections, although prevention remains the most effective defense.
Recommended Cyber Technology News:
- Hackers Exploit Microsoft Teams to Breach Enterprises
- DTEX Warns AI Agents Risk Data Exfiltration on Apps
- Classiq Launches Expert Quantum AI Agents for Practical Applications
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
