CVE-2025-61610 Overview
CVE-2025-61610 is a high-severity improper input validation vulnerability affecting the NR (New Radio) modem component in Google Android devices running on Unisoc chipsets. The vulnerability exists due to insufficient validation of input data processed by the modem, which can result in a system crash when exploited. This could lead to remote denial of service conditions with no additional execution privileges required by the attacker.
The vulnerability is particularly concerning because it can be exploited remotely over the network without any user interaction or special privileges, making it an attractive target for attackers seeking to disrupt mobile device availability.
Critical Impact
Remote attackers can cause system crashes on affected Android devices with Unisoc chipsets, leading to denial of service conditions without requiring user interaction or special privileges.
Affected Products
- Google Android 13.0, 14.0, 15.0, 16.0
- Unisoc T8100 chipset
- Unisoc T8200 chipset
- Unisoc T8300 chipset
- Unisoc T9100 chipset
Discovery Timeline
- 2025-12-01 - CVE-2025-61610 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-61610
Vulnerability Analysis
This vulnerability carries a CVSS 3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. The scoring reflects the following characteristics:
| Metric | Value | Description |
|---|---|---|
| Attack Vector | Network | Exploitable remotely over the network |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim interaction required |
| Scope | Unchanged | Impact limited to vulnerable component |
| Confidentiality | None | No data exposure |
| Integrity | None | No data modification |
| Availability | High | Complete denial of service possible |
The EPSS (Exploit Prediction Scoring System) indicates a probability of 0.153% with a percentile ranking of 36.6, suggesting a relatively low but non-trivial likelihood of exploitation in the wild.
Root Cause
The root cause of CVE-2025-61610 lies in improper input validation within the NR modem component. The NR modem, responsible for handling 5G New Radio communications, fails to properly validate certain input parameters before processing them. When malformed or unexpected input is received, the modem component does not handle the error condition gracefully, resulting in a system crash.
Input validation vulnerabilities in modem firmware are particularly dangerous because modems operate at a low level in the device stack and process data received directly from cellular networks, which may be controlled or influenced by malicious actors.
Attack Vector
The attack can be executed remotely over the network without requiring any authentication or user interaction. An attacker with the ability to send crafted data to the target device's modem—potentially through malicious base stations, compromised network infrastructure, or specially crafted network packets—can trigger the vulnerability.
The attack flow typically involves:
- The attacker identifies a target device using a vulnerable Unisoc chipset running an affected Android version
- Malformed input data is transmitted to the device's NR modem component
- The modem fails to validate the input properly and enters an error state
- The system crashes, causing denial of service to the device user
Since no proof-of-concept code has been publicly disclosed and no verified code examples are available, the specific technical details of exploitation remain protected. Security researchers and administrators should refer to the Unisoc Security Advisory for additional technical information.
Detection Methods for CVE-2025-61610
Indicators of Compromise
- Unexpected device reboots or crashes without user action
- Modem-related error messages or crash dumps in system logs
- Increased frequency of system instability when connected to cellular networks
- NR modem component crashes recorded in Android diagnostic logs
Detection Strategies
Organizations managing fleets of Android devices with Unisoc chipsets should implement the following detection approaches:
- Log Monitoring: Configure centralized logging to collect modem crash events and system instability indicators from affected devices
- Crash Analysis: Review crash dumps and tombstone files for modem-related exceptions
- Behavioral Monitoring: Deploy mobile device management (MDM) solutions capable of detecting unusual reboot patterns
- Network Traffic Analysis: Monitor for anomalous cellular network traffic patterns that may indicate exploitation attempts
SentinelOne Singularity Mobile provides comprehensive protection for Android devices, including behavioral detection capabilities that can identify system instability patterns indicative of exploitation attempts against modem components.
Monitoring Recommendations
- Enable verbose logging for modem components on devices where diagnostics are available
- Configure alerting for repeated system crashes or modem resets within short time periods
- Deploy endpoint detection solutions that can monitor low-level system behavior
- Establish baseline crash rates for managed device fleets to identify anomalous patterns
How to Mitigate CVE-2025-61610
Immediate Actions Required
- Verify if your Android devices use affected Unisoc chipsets (T8100, T8200, T8300, T9100)
- Check device firmware versions against vendor security advisories
- Apply available security patches from device manufacturers promptly
- Consider restricting devices to trusted cellular networks where possible
- Monitor for vendor security updates from both Google and Unisoc
Patch Information
Unisoc has released a security advisory addressing this vulnerability. Organizations should:
- Review the official advisory at Unisoc Security Announcement
- Contact device OEMs for firmware updates incorporating the fix
- Prioritize patching based on device exposure and criticality
- Validate patches in a test environment before widespread deployment
Google Android security updates should be monitored for patches addressing this vulnerability across Android versions 13.0, 14.0, 15.0, and 16.0.
Workarounds
Until patches can be applied, the following workarounds may help reduce risk:
- Limit device use in untrusted network environments where malicious base stations could be present
- Enable automatic security updates on affected devices to receive patches promptly
- Consider using alternative connectivity methods (Wi-Fi) in high-risk environments when cellular connectivity is not critical
- Deploy mobile threat defense solutions that can detect and alert on system stability issues
For enterprise environments, MDM solutions can be configured to enforce security policies and expedite patch deployment across affected device fleets. SentinelOne Singularity Mobile provides additional protection layers that can help detect exploitation attempts and enforce compliance with security update requirements.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
