Kaspersky Uncovers Critical Qualcomm BootROM Flaw That Could Put Millions of Devices at Risk

A close-up editorial illustration of a Qualcomm Snapdragon chipset highlighted by cybersecurity warning graphics, symbolizing Kaspersky’s discovery of a critical BootROM vulnerability that could expose millions of connected devices to deep hardware-level attacks.

 A newly disclosed hardware-level vulnerability in widely deployed Qualcomm Snapdragon and modem chipsets has raised fresh concerns about the security foundation of modern connected devices — from smartphones and tablets to industrial IoT systems and automotive components.

Security researchers at Kaspersky revealed the flaw, identified as CVE-2026-25262, after an in-depth investigation into Qualcomm’s low-level recovery mechanism known as the Sahara protocol, a communication channel used when devices enter Emergency Download Mode (EDL). The findings, presented at Black Hat Asia 2026, point to a serious weakness buried deep inside a chip’s BootROM — firmware etched into hardware that initializes a device before its operating system loads.

That location matters. Unlike software vulnerabilities that can often be patched through updates, BootROM flaws are among the most dangerous classes of hardware security issues because they sit at the root of trust for the entire system.

A Vulnerability at the Core of Device Security

According to Kaspersky researchers, attackers with only a few minutes of physical access to a vulnerable device could potentially bypass key chip-level protections, compromise secure boot, and install stealthy malware or persistent backdoors.

In practical terms, that could mean:

• Access to stored files and credentials
• Theft of contacts, messages, and location history
• Unauthorized activation of microphones and cameras
• Implantation of malware capable of surviving normal system resets
• Full device compromise in certain attack scenarios

The affected Qualcomm families include MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50, with researchers warning that additional Qualcomm-based platforms may also be exposed.

For security professionals, this is especially concerning because the attack begins before Android, Linux, or any higher operating system security layer even starts. Once trust at boot is broken, downstream protections become significantly less reliable.

Why Physical Access Attacks Are Becoming More Relevant

For years, physical access attacks were often treated as niche threats. That assumption no longer holds.

In today’s world, devices frequently pass through third-party repair shops, logistics warehouses, customs checkpoints, refurbishing centers, and enterprise provisioning chains. Each of those moments creates a short but meaningful window of exposure.

Consider a realistic enterprise scenario:

A logistics company deploys hundreds of rugged handheld scanners powered by Qualcomm chipsets. Before reaching employees, devices move through assembly, warehousing, shipping, and configuration facilities. If a malicious actor compromises even a small batch during transit using a BootROM exploit, implanted malware could quietly collect warehouse activity, shipment metadata, GPS movement patterns, or authentication credentials for months without detection.

This is not theoretical paranoia. Supply-chain compromise has already become a defining cybersecurity trend.

The SolarWinds cyberattack attack demonstrated how deeply embedded compromises can ripple across industries, while incidents involving spyware platforms such as NSO Group’s Pegasus highlighted how mobile devices have become high-value espionage targets.

A hardware foothold is even more powerful.

The Persistent Malware Problem

One of the most striking warnings from Kaspersky is that malware deployed through this weakness may be exceptionally difficult to remove.

Sergey Anufrienko of Kaspersky ICS CERT notes that compromised systems could potentially simulate a reboot without actually resetting core malicious code. That means users may believe a restart cleared suspicious activity when malware remains active underneath the operating system.

Only a full power loss, including battery depletion, may guarantee a clean restart in certain compromise scenarios.

That observation reflects a larger industry lesson: traditional incident-response habits often fail against firmware-level threats.

Security teams increasingly face attacks that operate below antivirus visibility, below OS telemetry, and below endpoint detection tools.

Qualcomm’s Challenge Goes Beyond Patching

Qualcomm formally acknowledged the vulnerability in April 2025 after Kaspersky privately reported it the month before. The bigger challenge now is mitigation at scale.

Because affected chips are embedded in:

• legacy smartphones
• tablets
• 5G networking hardware
• connected vehicles
• industrial controllers
• smart city infrastructure
• IoT deployments

…the exposure surface is broad and fragmented.

Many industrial and embedded devices remain in operation for 7–15 years, often with limited update mechanisms. Some may never receive vendor remediation.

That creates a familiar cybersecurity gap: disclosure happens quickly, mitigation unfolds slowly, and attackers exploit the window in between.

What Users and Organizations Should Do Now

For consumers, the immediate risk remains targeted rather than mass exploitation, but precautions matter:

• Avoid leaving devices unattended in untrusted environments
• Use authorized repair channels
• Reflash firmware after suspicious servicing when possible
• Enable strong authentication and hardware-backed encryption
• Keep vendor firmware updated

For enterprises, stronger measures are needed:

• Validate device integrity during procurement
• Audit supply-chain handling
• Use tamper-evident logistics controls
• Monitor firmware behavior, not just operating systems
• Segment sensitive mobile and IoT devices from core networks

A Warning Sign for the Connected Era

The Qualcomm BootROM vulnerability is more than another CVE — it is a reminder that cybersecurity weaknesses increasingly live below the software layer, inside hardware foundations most users never see.

As smartphones become digital wallets, vehicles become connected computers, and factories rely on intelligent edge devices, chip-level trust is no longer a technical detail — it is infrastructure security.

And when trust at the silicon layer breaks, everything built on top becomes questionable.