Qualcomm Chip Flaw Could Allow Full Device Takeover, Kaspersky Warns

Kaspersky says a BootROM vulnerability in widely used Qualcomm chips could allow attackers to access data, hijack sensors, and in some cases fully control devices with only minutes of physical access, as global cyberattack volumes remain at historically elevated levels.

Kaspersky ICS CERT says it has uncovered a hardware-level vulnerability in Qualcomm chipsets used across smartphones, tablets, vehicles, and IoT systems, warning it could enable data theft and full device compromise.

The flaw, it says, sits in the BootROM, firmware embedded at the hardware level. If exploited, attackers could access stored data, activate sensors such as cameras and microphones, and in some cases take full control of a device. The research was presented at Black Hat Asia 2026.

The vulnerability affects Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952 and SDX50 series chips. It was reported to Qualcomm in March 2025, with the company acknowledging it in April 2025. It has been assigned CVE-2026-25262. Researchers said other Qualcomm-based chipsets may also be affected.

Kaspersky researchers analysed the Sahara protocol, a low-level communication system used when Qualcomm chips enter Emergency Download Mode (EDL), a recovery mode designed to restore or repair devices before the operating system loads.

They found that a flaw in this process could allow attackers with physical access to bypass chip security protections, compromise the secure boot chain, and install malicious software or backdoors on the application processor.

In smartphones and tablets, this could expose sensitive user data including passwords, files, contacts, location data, and potentially camera and microphone feeds.

“A potential attacker only needs a few minutes of physical access to a device to compromise it,” researchers warned, adding that unattended devices or those sent for repair could be at risk, including potential exposure during supply chain handling.

“Vulnerabilities like this may allow attackers to deploy malware that is difficult to detect and remove. In practice, this could enable covert data collection or influence device behaviour over extended periods of time,” Sergey Anufrienko, security expert at Kaspersky ICS CERT told Impact Newswire. “While a reboot might seem like an effective way to remove such malware, it cannot always be relied upon: compromised systems may simulate a reboot without actually resetting. In such cases, only a complete loss of power – including battery depletion – guarantees a clean restart.”

The findings come as global cyber risk continues to intensify. According to Check Point Research’s 2025 Global Threat Intelligence report, organizations face an average of more than 2,000 cyberattacks per week, marking sustained high-pressure targeting across industries and regions.

Ransomware remains a major driver of financial and operational disruption. IBM’s Cost of a Data Breach Report 2025 found the average global cost of a data breach reached $4.45 million, while breaches continue to take an average of over 240 days to identify and contain.

Meanwhile, Verizon’s 2025 Data Breach Investigations Report (DBIR) estimates that ransomware is present in roughly 1 in 3 breaches globally, underscoring its continued dominance in the cybercrime ecosystem.

Kaspersky advised strict physical security controls across device supply, maintenance, and disposal stages. It added that cutting power to affected devices or fully discharging the battery may help remove malware in some cases.

Get the latest news and insights that are shaping the world. Subscribe to Impact Newswire to stay informed and be part of the global conversation.

Got a story to share? Pitch it to us at info@impactnews-wire.com and reach the right audience worldwide