Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-21477

CVE-2025-21477: Qualcomm 315 5G IoT Modem DoS Flaw

CVE-2025-21477 is a denial of service vulnerability in Qualcomm 315 5G IoT Modem Firmware caused by invalid CCCH data length processing. This article covers the technical details, affected firmware versions, and mitigation steps.

Updated:

CVE-2025-21477 Overview

CVE-2025-21477 is a transient denial-of-service (DoS) vulnerability affecting a broad range of Qualcomm modem, Wi-Fi, audio, and Snapdragon platform firmware. The flaw is triggered when the modem processes Common Control Channel (CCCH) data and the network sends a message with an invalid length field. Improper input validation [CWE-20] in the CCCH parsing path causes a transient failure in the affected component. The issue is network-reachable and requires no authentication or user interaction. Qualcomm published the fix in the August 2025 Security Bulletin.

Critical Impact

A remote attacker operating a rogue base station or compromised network element can repeatedly transmit malformed CCCH messages to disrupt cellular connectivity on affected Snapdragon devices.

Affected Products

  • Qualcomm 315 5G IoT Modem and Snapdragon Auto 5G Modem-RF (Gen 1 and Gen 2)
  • Snapdragon mobile platforms including 4 Gen 1, 8 Gen 1/2/3, 8+ Gen 1/2, 480/690/695/765/780/865/870/888 5G
  • FastConnect 6200/6700/6800/6900/7800, QCA/QCN/QCS/QCM series, WCD/WCN/WSA audio and connectivity firmware

Discovery Timeline

  • 2025-08-06 - CVE-2025-21477 published to NVD
  • 2025-08-06 - Qualcomm August 2025 Security Bulletin released with patch information
  • 2025-08-20 - Last updated in NVD database

Technical Details for CVE-2025-21477

Vulnerability Analysis

The vulnerability resides in the modem firmware code path that parses Common Control Channel (CCCH) messages received from the serving network. CCCH is a logical channel defined in 3GPP specifications and is used to carry signaling between the network and User Equipment (UE) before a dedicated channel is established. When the network sends a CCCH message containing a length field that does not match the expected or valid bounds, the firmware fails to reject or sanitize the input. The resulting condition produces a transient denial of service, disrupting cellular operation until the modem recovers or restarts.

Root Cause

The root cause is improper input validation [CWE-20] in the CCCH data handler. The parser trusts a length value supplied in the over-the-air message without verifying it against the actual buffer or protocol-defined limits. Processing the malformed length value causes the modem subsystem to enter an error state, terminating signaling and dropping connectivity.

Attack Vector

Exploitation requires an attacker to deliver a crafted CCCH message to the target UE. This is achievable through a rogue or compromised base station, an IMSI catcher, or a malicious femtocell within radio range. No credentials, prior pairing, or user interaction are required. Because CCCH is processed before authentication completes, the attack surface is exposed to any device that camps on the malicious cell. Repeated transmission of the malformed message produces a sustained service disruption against affected devices.

No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2025-21477

Indicators of Compromise

  • Unexpected and repeated modem resets or radio interface restarts on Snapdragon-based devices in a localized geographic area
  • Sudden loss of cellular registration followed by re-attach loops while in range of unfamiliar base stations
  • Diagnostic logs showing CCCH parsing errors or malformed RRC signaling on the modem subsystem

Detection Strategies

  • Correlate modem crash reports and baseband diagnostic logs across managed mobile fleets to identify clusters of CCCH-related failures
  • Use mobile threat defense or Mobile Device Management (MDM) telemetry to flag devices reporting abnormal cellular disconnection frequency
  • Deploy rogue base station detection capabilities in sensitive locations to identify unauthorized RF emitters operating on cellular bands

Monitoring Recommendations

  • Monitor fleet-wide baseband firmware versions to confirm devices receive the August 2025 Qualcomm patches through OEM update channels
  • Track MDM event streams for repeated radio resets, signal loss anomalies, and reattach storms localized to specific cells or sites
  • Establish baselines for normal cellular registration and authentication patterns so deviations indicating malicious cells become identifiable

How to Mitigate CVE-2025-21477

Immediate Actions Required

  • Apply OEM firmware updates incorporating Qualcomm's August 2025 security patches to all affected Snapdragon and modem-equipped devices
  • Inventory devices using affected chipsets across mobile, IoT, automotive, and compute fleets and prioritize patching of high-value endpoints
  • Restrict use of unpatched devices in environments where rogue base station activity is plausible, such as conferences, border regions, and sensitive facilities

Patch Information

Qualcomm addressed CVE-2025-21477 in the Qualcomm August 2025 Security Bulletin. Device-level patches are delivered through Original Equipment Manufacturer (OEM) firmware update channels. Customers should verify with each device vendor that the August 2025 baseband patch level is installed.

Workarounds

  • Where patches are not yet available from the OEM, configure devices to prefer trusted Wi-Fi networks and minimize reliance on cellular signaling in untrusted environments
  • Disable legacy radio access technologies on devices that support it, reducing exposure to downgrade-based rogue base station attacks
  • Use enterprise mobility management policies to enforce timely acceptance of vendor firmware updates as they are released
bash
# Verify Android baseband (radio) version on a managed device
adb shell getprop gsm.version.baseband

# Confirm Android security patch level reflects August 2025 or later
adb shell getprop ro.build.version.security_patch

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.