Kaspersky ICS CERT discovered a hardware-level vulnerability affecting Qualcomm chipsets that are widely used in a range of consumer and industrial devices, including smartphones and tablets, car components, IoT devices and more. The vulnerability resides in the BootROM – firmware embedded at the hardware level. Attackers could potentially get access to any data stored on the device or device sensors like camera and microphone, implement complicated attack scenarios and in some circumstances get full control of the device. The results of the research were presented at Black Hat Asia 2026.
The vulnerability affects Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952 and SDX50 series and was reported to Qualcomm in March 2025. Qualcomm formally acknowledged the vulnerability in April 2025. It has been assigned a CVE-2026-25262. Other Qualcomm-based chips may be affected as well.
Kaspersky researchers explored the Sahara protocol, a low-level communication system used when a Qualcomm chip enters Emergency Download Mode (EDL) – a special recovery mode designed for repairing or restoring smartphones or other devices. Sahara acts as the first step that allows a computer to connect to the device and load software before the operating system on the device starts.
Kaspersky demonstrated that a security flaw in this process could allow an attacker with physical access to the target device to bypass key security protections in the chip, compromise the secure boot chain and, in some cases, deploy malicious applications and backdoors to the chip’s Application Processor, thus fully compromising the entire device. For example, in cases when the target device is a smartphone or a tablet, the attacker can potentially get access to entered user passwords, and subsequently this opens further access to multiple types of sensitive user data, such as files, contacts, location, access to the devices’ camera and microphone, etc.
A potential attacker only needs a few minutes of physical access to a device to compromise it. Therefore, if a smartphone has been sent for repair or left unattended for a short time, one can no longer be sure it is not infected. Researchers warn that the threat extends beyond end-user scenarios to include potential compromise during the supply chain phase.
“Vulnerabilities like this may allow attackers to deploy malware that is difficult to detect and remove. In practice, this could enable covert data collection or influence device behavior over extended periods of time. While a reboot might seem like an effective way to remove such malware, it cannot always be relied upon: compromised systems may simulate a reboot without actually resetting. In such cases, only a complete loss of power – including battery depletion – guarantees a clean restart,” comments Sergey Anufrienko, security expert at Kaspersky ICS CERT.
Kaspersky advises organizations and individual users to exercise strict physical security control over devices including at the supply, maintenance and decommissioning phases. A reboot of the device by cutting off the power supply to the affected chip (if available) or full battery discharge may help to get rid of the malware if it was installed.
Read the advisory on the website of Kaspersky ICS CERT.
About Kaspersky ICS CERT
Kaspersky ICS CERT is primarily focused on identifying and addressing potential and existing threats to industrial automation systems and the Industrial Internet of Things (IloT). The team has successfully identified and helped eliminate hundreds of vulnerabilities in widely used OT/IoT products and key components, enhancing the security and resilience of these critical systems against sophisticated cyberattacks.
