Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-71254

CVE-2025-71254: Modem IMS Denial of Service Vulnerability

CVE-2025-71254 is a denial of service vulnerability in Modem IMS caused by improper input validation. Remote attackers can exploit this flaw without privileges. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-71254 Overview

CVE-2025-71254 is an improper input validation vulnerability [CWE-20] affecting the Modem IP Multimedia Subsystem (IMS) component. An attacker can send malformed input over the network to trigger a remote denial of service condition. The flaw does not require authentication, user interaction, or additional execution privileges. The vulnerability impacts availability only, with no effect on confidentiality or integrity. The issue is documented in the Unisoc Security Bulletin.

Critical Impact

Remote attackers can crash or disrupt Modem IMS functionality on affected devices without authentication, breaking voice over LTE (VoLTE), voice over Wi-Fi, and other IMS-dependent cellular services.

Affected Products

  • Unisoc-based Modem IMS implementations (specific chipset models referenced in the Unisoc Security Bulletin)
  • Mobile devices using affected Unisoc baseband firmware
  • Cellular modules incorporating the vulnerable IMS stack

Discovery Timeline

  • 2026-05-06 - CVE-2025-71254 published to NVD
  • 2026-05-07 - Last updated in NVD database

Technical Details for CVE-2025-71254

Vulnerability Analysis

The vulnerability resides in the Modem IMS (IP Multimedia Subsystem) component, which handles signaling and media for cellular voice and messaging services such as VoLTE, VoWiFi, and RCS. The IMS stack fails to properly validate input received over the network, allowing crafted protocol messages to reach unsafe code paths. When parsed, these malformed messages cause the modem firmware to enter an error state and terminate or hang. The result is a remote denial of service that disrupts cellular IMS services on the targeted device.

Because IMS signaling is processed at the modem layer, the attack does not require any user-mode interaction on the host operating system. The attacker only needs network reachability to the IMS interface used by the device.

Root Cause

The root cause is missing or insufficient validation of fields within IMS protocol messages before they are consumed by the modem firmware. Improper bounds, type, or state checks allow attacker-controlled data to drive the parser into a non-recoverable condition. The Unisoc Security Bulletin classifies the issue as improper input validation rather than memory corruption, indicating the impact is constrained to availability.

Attack Vector

The attack vector is network-based with low complexity and no privileges or user interaction required. An attacker positioned to deliver IMS signaling traffic, for example via a rogue base station, hostile carrier network, or a compromised IMS peer, sends a malformed message to the target. The modem processes the message, fails validation downstream, and crashes the IMS service. Repeated delivery sustains the denial of service. No code execution is achieved and no data is exposed.

Verified exploit code is not publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Unisoc Security Bulletin for vendor technical details.

Detection Methods for CVE-2025-71254

Indicators of Compromise

  • Unexpected modem resets, IMS service registration failures, or repeated loss of VoLTE/VoWiFi capability on affected devices
  • Device logs (logcat, modem ramdumps, dmesg) showing IMS task crashes or assertion failures shortly after receiving inbound IMS signaling
  • Anomalous SIP/IMS traffic patterns directed at the device, particularly malformed REGISTER, INVITE, or SUBSCRIBE messages

Detection Strategies

  • Monitor mobile device management (MDM) telemetry for clusters of devices reporting cellular voice service drops correlated in time or location
  • Inspect carrier-side IMS core logs for malformed signaling messages and correlate with subscriber outage reports
  • Capture and analyze radio interface traces on test devices to identify signatures of crash-inducing IMS payloads

Monitoring Recommendations

  • Track modem firmware versions across the device fleet and flag devices running pre-patch builds referenced in the Unisoc bulletin
  • Alert on repeated IMS de-registration events or modem subsystem restarts on individual handsets
  • Correlate cellular service degradation with the presence of unauthorized base stations or rogue Wi-Fi calling endpoints

How to Mitigate CVE-2025-71254

Immediate Actions Required

  • Apply the firmware update referenced in the Unisoc Security Bulletin as soon as the device OEM publishes it for affected models
  • Inventory devices using Unisoc chipsets and prioritize patch deployment for handsets in high-risk environments
  • Coordinate with mobile carriers to validate IMS core filtering of malformed signaling toward subscriber endpoints

Patch Information

Unisoc has acknowledged the vulnerability through its product security bulletin. Patched modem firmware must be delivered by device OEMs and carrier partners as part of standard mobile security update channels. Confirm the fix is included in the build by cross-referencing the security patch level against the bulletin entry for CVE-2025-71254.

Workarounds

  • Disable VoLTE and Wi-Fi calling on affected devices where operationally acceptable until firmware updates are installed
  • Restrict use of untrusted Wi-Fi networks for IMS traffic by enforcing VPN or carrier-only voice paths via MDM policy
  • Avoid connecting to unverified cellular networks in sensitive operational contexts to reduce exposure to rogue base station delivery of malformed IMS messages

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.