Analysis Summary
# Vulnerability: Qualcomm BootROM Write-What-Where Arbitrary Code Execution
## CVE Details
- CVE ID: CVE-2026-25262
- CVSS Score: 6.4 (Medium) — *Note: While the advisory text mentions 0.0, the provided CVSS string (AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) calculates to 6.4.*
- CWE: CWE-123: Write-what-where Condition
## Affected Systems
- **Products:** Qualcomm Chipset Series
- **Versions:** All versions of the following:
- MDM9x07
- MDM9x45
- MDM9x65
- MSM8909
- MSM8916
- MSM8952
- SDX50
- **Configurations:** Systems relying on the hardware-based Secure Boot chain of these chipsets.
## Vulnerability Description
A "Write-What-Where" condition exists within the BootROM of several Qualcomm chipsets. This technical flaw allows an attacker to write arbitrary data to a specific memory location. Because the vulnerability resides in the BootROM—the first code executed by the processor—it can be leveraged to subvert the hardware root of trust. By manipulating memory during the early boot process, an attacker can bypass Secure Boot signatures and execute unsigned, malicious code with the highest possible system privileges.
## Exploitation
- **Status:** PoC status not explicitly stated; reported by Kaspersky ICS CERT.
- **Complexity:** High
- **Attack Vector:** Physical (Requires direct physical access to the device)
## Impact
- **Confidentiality:** High (Full access to data on the device)
- **Integrity:** High (Ability to modify firmware and system code)
- **Availability:** High (Ability to brick or permanently alter the device)
## Remediation
### Patches
- As the vulnerability is located in the **BootROM**, it is generally considered unpatchable via traditional software updates because BootROM code is "baked" into the hardware silicon. Users should contact Qualcomm or their device OEM for specific hardware revision information.
### Workarounds
- **Physical Security:** Implement strict physical access controls to prevent unauthorized personnel from interfacing with the device hardware.
- **Hardware Hardening:** For industrial applications, ensure devices are housed in tamper-evident or tamper-resistant enclosures.
## Detection
- **Indicators of Compromise:** Unusual device behavior, such as unexplained overheating when the device is idle.
- **Detection Methods:**
- Regularly audit the integrity of the secondary bootloaders and firmware.
- Monitor for unauthorized physical access attempts in secure environments.
## References
- Kaspersky ICS CERT Advisory: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2026/04/20/qualcomm-chipsets-series-write-what-where-condition-vulnerability-in-bootrom/
- NVD CVE-2026-25262: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-25262
- Mitre CWE-123: hxxps[://]cwe[.]mitre[.]org/data/definitions/123[.]html