Kaspersky researchers have uncovered a hardware-level vulnerability in widely used Qualcomm chipsets that could allow attackers to fully compromise affected devices. The flaw, identified in the BootROM firmware – embedded at the hardware level – impacts Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 series chipsets, with other Qualcomm-based chips potentially also at risk. It has been assigned CVE-2026-25262, a press release said.
The findings were presented at Black Hat Asia 2026. Kaspersky reported the issue to Qualcomm in March 2025, and Qualcomm acknowledged it in April 2025.
The vulnerability is linked to the Sahara protocol, which enables communication when devices enter Emergency Download Mode (EDL), a recovery mode used for repairs or software restoration. Researchers found that attackers with just a few minutes of physical access could exploit this flaw to bypass security protections, compromise the secure boot process, install malicious apps or backdoors, and gain access to sensitive data.
On smartphones or tablets, this could expose passwords, files, contacts, location data, and even camera and microphone access. Researchers also warned of potential supply chain risks.
“Vulnerabilities like this may allow attackers to deploy malware that is difficult to detect and remove. In practice, this could enable covert data collection or influence device behavior over extended periods of time. While a reboot might seem like an effective way to remove such malware, it cannot always be relied upon: compromised systems may simulate a reboot without actually resetting. In such cases, only a complete loss of power – including battery depletion – guarantees a clean restart,” comments Sergey Anufrienko, security expert at Kaspersky ICS CERT.
Kaspersky advises organizations and individual users to exercise strict physical security control over devices including at the supply, maintenance and decommissioning phases. A reboot of the device by cutting off the power supply to the affected chip (if available) or full battery discharge may help to get rid of the malware if it was installed.
Read the advisory on the website of Kaspersky ICS CERT.
