CVE-2025-61619 Overview
CVE-2025-61619 is a high-severity vulnerability affecting the NR modem component in Unisoc chipsets running on Google Android devices. The vulnerability stems from improper input validation in the modem firmware, which can be exploited remotely to cause a system crash, resulting in a denial of service condition. No additional execution privileges or user interaction are required for exploitation.
This vulnerability is particularly concerning for mobile device security as it targets the baseband processor, a critical component responsible for cellular communication. Attackers can potentially leverage malformed network data to trigger the crash remotely over the network, disrupting device availability without requiring physical access.
Critical Impact
Remote attackers can crash affected Android devices running Unisoc chipsets through malformed network input, causing denial of service without requiring authentication or user interaction.
Affected Products
- Google Android versions 13.0, 14.0, 15.0, and 16.0
- Unisoc T8100 chipset
- Unisoc T8200 chipset
- Unisoc T8300 chipset
- Unisoc T9100 chipset
Discovery Timeline
- 2025-12-01 - CVE-2025-61619 published to NVD
- 2025-12-02 - Last updated in NVD database
Technical Details for CVE-2025-61619
Vulnerability Analysis
The vulnerability exists within the NR (New Radio) modem component of Unisoc chipsets, which handles 5G network communications. With a CVSS v3.1 score of 7.5 (HIGH) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, this vulnerability is characterized by:
- Attack Vector (AV:N): Network-based exploitation is possible
- Attack Complexity (AC:L): Low complexity required for exploitation
- Privileges Required (PR:N): No authentication needed
- User Interaction (UI:N): No user action required
- Impact: High availability impact with no confidentiality or integrity impact
The Exploit Prediction Scoring System (EPSS) indicates a 0.153% probability of exploitation, placing this vulnerability in the 36.6th percentile.
Root Cause
The vulnerability is caused by improper input validation in the NR modem firmware. When processing certain inputs, the modem fails to adequately validate data boundaries or format, leading to an unhandled exception that crashes the system. This type of input validation flaw (classified as NVD-CWE-noinfo) typically occurs when untrusted input is processed without sufficient sanitization or bounds checking.
Baseband vulnerabilities are particularly severe because the modem operates with high privileges and processes network data before it reaches the application processor, making traditional mobile security controls ineffective against such attacks.
Attack Vector
The attack is network-based, meaning an attacker can potentially trigger the vulnerability by sending specially crafted data over the cellular network to the target device. The NR modem processes incoming network traffic, and malformed packets or signaling messages that exploit the improper input validation can cause the modem to crash.
Since no privileges or user interaction are required, an attacker within range of a malicious base station or with the ability to inject traffic into the network path could potentially exploit this vulnerability. The attack could be executed through:
- Malicious or compromised cellular base stations
- Man-in-the-middle attacks on cellular communications
- Crafted network signaling messages targeting the modem
Detection Methods for CVE-2025-61619
Indicators of Compromise
- Unexpected device reboots or system crashes without user action
- Modem-related crash logs in system diagnostics
- Repeated cellular connectivity failures or modem restarts
- System log entries indicating NR modem component failures
Detection Strategies
Organizations can implement the following detection strategies:
Device Monitoring: Implement mobile device management (MDM) solutions that can detect unusual crash patterns or system instability across the device fleet.
Network Monitoring: Monitor for anomalous cellular signaling patterns that may indicate exploitation attempts against modem components.
Log Analysis: Configure devices to capture and forward crash reports for analysis. Look for patterns of modem-related crashes that may indicate exploitation.
SentinelOne Mobile Protection: Deploy SentinelOne's mobile threat defense capabilities to monitor for suspicious device behavior and potential exploitation attempts targeting device components.
Monitoring Recommendations
- Enable comprehensive crash reporting on managed Android devices
- Configure alerts for devices experiencing repeated unexpected reboots
- Monitor device health metrics through MDM platforms for signs of denial of service attacks
- Implement SentinelOne Singularity Mobile to gain visibility into device-level threats and behavioral anomalies
- Review modem firmware versions across the device fleet to identify vulnerable deployments
How to Mitigate CVE-2025-61619
Immediate Actions Required
- Review the vendor advisory at the Unisoc support announcement for patch availability
- Identify all devices in your environment using affected Unisoc chipsets (T8100, T8200, T8300, T9100)
- Prioritize patching for devices running Android 13.0 through 16.0 with vulnerable Unisoc modem firmware
- Consider temporarily restricting high-risk devices from untrusted networks until patches are applied
Patch Information
Unisoc has published a security advisory addressing this vulnerability. Organizations should:
Check the official Unisoc security announcement at: https://www.unisoc.com/en/support/announcement/1995394837938163714
Coordinate with device manufacturers to obtain firmware updates that include the modem security patches
Apply security updates through standard Android update channels when available from device OEMs
Verify patch application by checking modem firmware versions after updates
Workarounds
Until patches can be applied, consider the following risk reduction measures:
- Network Segmentation: Where possible, limit exposure of vulnerable devices to untrusted network environments
- MDM Enforcement: Use mobile device management to enforce security policies and monitor device health
- Device Inventory: Maintain an accurate inventory of devices with Unisoc chipsets to ensure comprehensive patch coverage
- User Awareness: Inform users about potential device instability and the importance of applying updates promptly
Organizations using SentinelOne can leverage the Singularity platform to monitor managed devices for signs of exploitation and ensure visibility across their mobile device fleet during the remediation period.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
