CVE-2025-71254 Overview
CVE-2025-71254 is an improper input validation vulnerability [CWE-20] affecting the Modem IP Multimedia Subsystem (IMS) component. An attacker can send malformed input over the network to trigger a remote denial of service condition. The flaw does not require authentication, user interaction, or additional execution privileges. The vulnerability impacts availability only, with no effect on confidentiality or integrity. The issue is documented in the Unisoc Security Bulletin.
Critical Impact
Remote attackers can crash or disrupt Modem IMS functionality on affected devices without authentication, breaking voice over LTE (VoLTE), voice over Wi-Fi, and other IMS-dependent cellular services.
Affected Products
- Unisoc-based Modem IMS implementations (specific chipset models referenced in the Unisoc Security Bulletin)
- Mobile devices using affected Unisoc baseband firmware
- Cellular modules incorporating the vulnerable IMS stack
Discovery Timeline
- 2026-05-06 - CVE-2025-71254 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2025-71254
Vulnerability Analysis
The vulnerability resides in the Modem IMS (IP Multimedia Subsystem) component, which handles signaling and media for cellular voice and messaging services such as VoLTE, VoWiFi, and RCS. The IMS stack fails to properly validate input received over the network, allowing crafted protocol messages to reach unsafe code paths. When parsed, these malformed messages cause the modem firmware to enter an error state and terminate or hang. The result is a remote denial of service that disrupts cellular IMS services on the targeted device.
Because IMS signaling is processed at the modem layer, the attack does not require any user-mode interaction on the host operating system. The attacker only needs network reachability to the IMS interface used by the device.
Root Cause
The root cause is missing or insufficient validation of fields within IMS protocol messages before they are consumed by the modem firmware. Improper bounds, type, or state checks allow attacker-controlled data to drive the parser into a non-recoverable condition. The Unisoc Security Bulletin classifies the issue as improper input validation rather than memory corruption, indicating the impact is constrained to availability.
Attack Vector
The attack vector is network-based with low complexity and no privileges or user interaction required. An attacker positioned to deliver IMS signaling traffic, for example via a rogue base station, hostile carrier network, or a compromised IMS peer, sends a malformed message to the target. The modem processes the message, fails validation downstream, and crashes the IMS service. Repeated delivery sustains the denial of service. No code execution is achieved and no data is exposed.
Verified exploit code is not publicly available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Unisoc Security Bulletin for vendor technical details.
Detection Methods for CVE-2025-71254
Indicators of Compromise
- Unexpected modem resets, IMS service registration failures, or repeated loss of VoLTE/VoWiFi capability on affected devices
- Device logs (logcat, modem ramdumps, dmesg) showing IMS task crashes or assertion failures shortly after receiving inbound IMS signaling
- Anomalous SIP/IMS traffic patterns directed at the device, particularly malformed REGISTER, INVITE, or SUBSCRIBE messages
Detection Strategies
- Monitor mobile device management (MDM) telemetry for clusters of devices reporting cellular voice service drops correlated in time or location
- Inspect carrier-side IMS core logs for malformed signaling messages and correlate with subscriber outage reports
- Capture and analyze radio interface traces on test devices to identify signatures of crash-inducing IMS payloads
Monitoring Recommendations
- Track modem firmware versions across the device fleet and flag devices running pre-patch builds referenced in the Unisoc bulletin
- Alert on repeated IMS de-registration events or modem subsystem restarts on individual handsets
- Correlate cellular service degradation with the presence of unauthorized base stations or rogue Wi-Fi calling endpoints
How to Mitigate CVE-2025-71254
Immediate Actions Required
- Apply the firmware update referenced in the Unisoc Security Bulletin as soon as the device OEM publishes it for affected models
- Inventory devices using Unisoc chipsets and prioritize patch deployment for handsets in high-risk environments
- Coordinate with mobile carriers to validate IMS core filtering of malformed signaling toward subscriber endpoints
Patch Information
Unisoc has acknowledged the vulnerability through its product security bulletin. Patched modem firmware must be delivered by device OEMs and carrier partners as part of standard mobile security update channels. Confirm the fix is included in the build by cross-referencing the security patch level against the bulletin entry for CVE-2025-71254.
Workarounds
- Disable VoLTE and Wi-Fi calling on affected devices where operationally acceptable until firmware updates are installed
- Restrict use of untrusted Wi-Fi networks for IMS traffic by enforcing VPN or carrier-only voice paths via MDM policy
- Avoid connecting to unverified cellular networks in sensitive operational contexts to reduce exposure to rogue base station delivery of malformed IMS messages
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
