Full Report
Google's Threat Analysis Group, which investigates government-backed hacks, was credited with the discovery of the zero-days.
Analysis Summary
# Vulnerability: Qualcomm Chip Zero-Days Exploited in Targeted Campaigns
## CVE Details
- CVE ID: CVE-2025-21479, CVE-2025-21480, CVE-2025-27038
- CVSS Score: N/A (Not explicitly provided, but described as zero-days exploited in the wild)
- CWE: N/A
## Affected Systems
- Products: Qualcomm Chips/Components (underlying hardware used in Android devices)
- Versions: Specific vulnerable versions are not detailed in the summary.
- Configurations: Systems running Android devices utilizing the affected Qualcomm components.
## Vulnerability Description
Qualcomm patched three zero-day vulnerabilities that were reported by Google's Threat Analysis Group (TAG) in February. These flaws exist within Qualcomm chip components used in numerous mobile devices.
## Exploitation
- Status: May be under limited, targeted exploitation ("in use as part of hacking campaigns").
- Complexity: Implied to be sufficiently complex to require a dedicated threat analysis group (Google TAG) to track, fitting the profile of government-backed attacks.
- Attack Vector: Not explicitly defined, but likely targeting the kernel, drivers, or firmware components of the chipsets, typical for flaws requiring vendor-specific patches.
## Impact
- Confidentiality: High (Implied, given use by government-backed groups)
- Integrity: High (Implied)
- Availability: High (Implied)
## Remediation
### Patches
- Qualcomm made patches available to device makers in May.
- Device manufacturers (OEMs) are responsible for applying these updates to end-user devices. Patches are available from Qualcomm, but deployment by OEMs may take several weeks.
### Workarounds
- No specific workarounds are listed in the provided text.
## Detection
- Detection methods are not specified, but Google TAG's monitoring likely provided the initial detection/reporting.
- Google Pixel devices are confirmed *not* to be affected by these specific Qualcomm vulnerabilities.
## References
- Vendor Advisories: Qualcomm Security Bulletin (Patches made available in May 2025)
- Relevant Links:
- techcrunch dot com/2025/06/03/phone-chipmaker-qualcomm-fixes-three-zero-days-exploited-by-hackers/