Cybersecurity company Kaspersky said it found a hardware-level flaw in several Qualcomm Snapdragon chipsets that could allow attackers to access sensitive data and, in some cases, take full control of devices.
The issue, tracked as CVE-2026-25262, affects widely used chipsets including MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50. These chips are found in smartphones, tablets, IoT devices, and even vehicle components, raising concerns about large-scale exposure.
The vulnerability sits in the BootROM, a low-level firmware embedded in the chip. Because it operates below the operating system, attacks at this layer are harder to detect and remove.
“Vulnerabilities like this may allow attackers to deploy malware that is difficult to detect and remove,” said Sergey Anufrienko, security expert at Kaspersky ICS CERT. “In practice, this could enable covert data collection or influence device behavior over extended periods of time.”
Kaspersky said attackers with just a few minutes of physical access to a device could exploit the flaw. This could happen during phone repairs, shipping, or even brief periods when a device is left unattended.
The researchers focused on the Sahara protocol, used when Qualcomm devices enter Emergency Download Mode (EDL), a recovery feature designed to restore or repair devices. By exploiting weaknesses in this process, attackers may bypass key protections, compromise the secure boot chain, and install backdoors directly into the chip.
In affected smartphones or tablets, this could expose passwords, files, contacts, location data, and even allow access to the camera and microphone.
Anufrienko warned that restarting a compromised device may not be enough. “In such cases, only a complete loss of power, including battery depletion, guarantees a clean restart,” he said.
In its post, Kaspersky said it reported the flaw to Qualcomm in March 2025, and the chipmaker acknowledged it in April 2025. The company said other Qualcomm-based chips may also be affected.
The firm advised organizations and consumers to enforce strict physical security controls, especially during device repair, transport, and disposal, to reduce the risk of compromise.