Cybersecurity firm Kaspersky has disclosed a hardware-level vulnerability in widely used Qualcomm chipsets that could allow an attacker with only minutes of physical access to seize control of a device, steal data, and activate its camera and microphone without detection.
Kaspersky’s Industrial Control Systems Computer Emergency Response Team (ICS CERT) found the vulnerability in the BootROM, firmware embedded at the hardware level, across chipsets used in smartphones, tablets, automotive components, and Internet of Things (IoT) devices. Findings were presented at Black Hat Asia 2026.
Classified as CVE-2026-25262, the flaw is a write-what-where condition in the Qualcomm MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952, and SDX50 chipset series. It enables an attacker with physical access to bypass the secure boot chain and execute arbitrary code with maximum privileges.
Researchers traced the flaw to the Sahara protocol, a low-level communication system activated when Qualcomm chips enter Emergency Download Mode (EDL), a recovery mechanism designed to restore devices before the operating system loads. A flaw in this process allows attackers to install malicious software or backdoors directly on the application processor.
The vulnerability was reported to Qualcomm in March 2025 and formally acknowledged by the company in April 2025. Researchers noted that other Qualcomm-based chipsets beyond those named may also be affected.
Sergey Anufrienko, a security expert at Kaspersky ICS CERT, warned that malware deployed through this method could be particularly difficult to detect and remove. He noted that a compromised device may simulate a reboot without actually resetting, meaning only a complete loss of power, including full battery depletion, can guarantee a clean restart.
The disclosure arrives against a backdrop of sustained global cyber pressure. According to Check Point Research’s 2025 Global Threat Intelligence report, organisations face an average of more than 2,000 cyberattacks per week. IBM’s Cost of a Data Breach Report 2025 placed the average global cost of a data breach at 4.45 million US dollars, while Verizon’s 2025 Data Breach Investigations Report (DBIR) estimated ransomware is present in roughly one in three breaches worldwide.
Kaspersky advised strict physical security controls at every stage of device supply, maintenance, and disposal, warning that unattended devices and those sent for repair are especially vulnerable to exploitation.
