Qualcomm Security Crisis: Unpatchable BootROM Flaw and New Critical CVEs Keep IoT, Smartphones, and Automotive Under Pressure

The unpatchable Qualcomm BootROM vulnerability CVE-2026-25262 remains a permanent risk for IoT infrastructure, smartphones, and automotive control units – and Google’s June Android Security Bulletin shows that Qualcomm chips continue to be scrutinized intensively by security researchers, with new vulnerabilities surfacing in the process.

In late April, Kaspersky ICS CERT researchers Alexander Kozlov and Sergey Anufrienko presented a discovery at Black Hat Asia 2026 that fundamentally undermines trust in the security architecture of Qualcomm chips. The situation has not eased since – quite the opposite.

The Attack Surface: BootROM and Emergency Download Mode

The BootROM is the read-only memory baked directly into the silicon, the very first component to execute when a device powers on. It forms the root of trust for the entire security chain – and that is precisely where the problem lies.

The attack exploits the Sahara protocol stack, a component of Emergency Download Mode (EDL). Service centers and device manufacturers use this mode to recover bricked devices via USB connection. Because Sahara is implemented directly within the BootROM, it runs before any operating system loads, before any access controls apply, before any security checks activate. The underlying flaw is classified as CWE-123 (Write-What-Where Condition): an attacker can write arbitrary data to arbitrary memory addresses. A few minutes of physical USB access is enough to compromise passwords, geolocation data, and hardware sensors such as the camera and microphone – or to gain full control of the device.

Affected Hardware: Far From a Niche Problem

CVE-2026-25262 affects the Qualcomm chip series MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 – completely, meaning every version shipped to date. The MDM9207 family is integrated into cellular modem modules for industrial IoT applications, logistics trackers, medical devices, and banking terminals. MSM8916 powers a large number of budget smartphones. SDX50 is found in automotive control units. These are not obscure chips.

Qualcomm confirmed the vulnerability and included it in its May 2026 Security Bulletin. A patch for already-manufactured hardware is technically impossible: the BootROM is immutable. Qualcomm has committed to releasing future chip generations without this design flaw.

June 2026 Update: Qualcomm Chips Remain in the Crosshairs

Google’s June Android Security Bulletin includes three additional critical Qualcomm vulnerabilities in closed-source components (CVE-2025-47392, CVE-2026-25276, CVE-2026-25277), each carrying a CVSS score of 9.8. They affect hardware abstraction layers and require vendor-specific firmware updates from individual device manufacturers – which, given the typically long update chains in IoT and automotive, means in practice: many devices will never receive these patches.

Active exploits of CVE-2026-25262 in the wild remain undocumented. That does not change the structural risk: physical device access – via repairs, supply chain attacks, customs inspections, or insiders – is a realistic attack vector in industrial and mobile environments.

What Operators Can Do Now

Kaspersky recommends strict physical access controls, using only authorized service centers for repairs, and keeping firmware consistently up to date. The latter will not close the BootROM vulnerability itself, but can eliminate related weaknesses at higher levels of the stack. If a device shows unusual behavior after an unattended period – unexplained network traffic, unexpected sensor activity – a full power cycle helps: according to current research, injected code does not survive a complete loss of power.

Sources: Kaspersky ICS CERT, SOCRadar – June Android Security Bulletin