Specialists from Kaspersky Lab identified a hardware vulnerability in Qualcomm Snapdragon chipsets used in smartphones, tablets, and cars, Vedomosti reports. The problem lies in BootROM, a hardware-level boot firmware. The research was presented at the Black Hat Asia 2026 conference.
The vulnerability (CVE-2026-25262) makes it possible, under certain conditions, to bypass a device's security mechanisms. An attacker needs physical access for the attack: the device must be connected to special equipment. Modern smartphones must also be switched into a special mode. In some cases, the risk arises even when connecting to untrusted USB ports, for example, chargers in airports or hotels. If successfully exploited, attackers may gain access to data, the camera, and the microphone, and in some scenarios, full control over the device.
The problem affects chipsets in the MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 series. The company notified Qualcomm about the flaw in March 2025, and it was confirmed in April. The risk may also extend to chipsets from other vendors built on these platforms.
The researchers studied the Qualcomm Sahara protocol, which is used when switching a device into Emergency Download Mode (EDL), a special recovery mode for repair or reflashing. The vulnerability at this stage makes it possible to compromise the trusted boot chain and install malware or backdoors in the device's application processor. An attacker needs only a few minutes of physical access. This creates risks not only during use, but also at the repair or supply stage: a device may already be infected before it is handed over to the user.
Kaspersky ICS CERT expert Sergey Anufrienko noted that such vulnerabilities are used to install hard-to-detect and non-removable malware that allows data to be collected covertly or the device's operation to be influenced for a long time. A normal reboot does not help: a compromised system can simulate it without performing an actual restart. The only guaranteed way to clean the device is to fully cut off power, for example, after the battery is completely discharged.
F6 experts explained that attackers need physical access via a cable, so this is not about mass infection over the internet, but targeted attacks against specific victims. The vulnerability was found in outdated chipsets and does not affect most modern flagship smartphones. The problem can only be fully closed by the manufacturer (Qualcomm) or the vendor (Samsung, Xiaomi, and others) by releasing a BootROM firmware update.