Error is sewn into the "iron" at the level of the plant.
Kaspersky Lab reported a hardware vulnerability in Qualcomm Snapdragon chipsets, which could lead to compromising devices and data leakage. The problem affects both custom and industrial devices, including smartphones, tablets, automotive components and IoT devices.
The vulnerability is in BootROM, the boot firmware built on the hardware level. The results of the study experts Kaspersky ICS CERT presented at the Black Hat Asia Conference 2026.
The attack requires physical access to the device. For successful compromise, the attacker needs to connect the device with a cable to its equipment, and in the case of modern smartphones, you may also need to transfer to a special mode. In some cases, even connecting to untrusted USB ports, such as charging stations at airports or hotels, may not be safe.
With a successful attack, attackers can potentially access the data stored on the device, as well as to components such as the camera and the microphone, implement complex attacks and in some cases gain full control over the device.
The vulnerability affects the Qualcomm chipsets of MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952 and SDX50. Kaspersky Lab told the manufacturer about the problem in March 2025, and in April 2025, Qualcomm confirmed its presence. Vendor assigned the vulnerability identifier CVE-2026-25262. The researchers also noted that the chipsets of other manufacturers could be potentially vulnerable if they are based on Qualcomm chipsets of the listed series.
In the course of the study, experts studied the Qualcomm Sahara protocol, a low-level interaction system that is used when translating the device to the emergency load mode of EDL. This mode is used in the repair or flashing of devices. The Sahara protocol allows the computer to connect to the device and download the software before the operating system is launched.
The researchers demonstrated that the vulnerability during the boot process could allow an attacker to bypass key protection mechanisms, compromise the trust loading chain, and in some cases install malware or backdoors into the device application processor. Such an attack, in turn, can lead to complete compromising the device. If we are talking about a smartphone or tablet, the installed backdoor can give access to the user’s passwords, and then to files, contacts, location data, as well as a camera and a microphone.
Experts separately pointed to the risk of attacks on supply chains. A potential attacker needs a few minutes of physical access to the device to compromise it. For this reason, after repairing a smartphone or even after a few minutes without supervision, you can no longer be sure that the device is not infected. Risk, as the researchers note, is not limited to everyday situations. The new device may be infected before the purchase, if the disproplacement occurred at one stage of the supply chain.
The most difficult stage is the development of exploit. After that, the attack itself can be performed quickly enough and does not require from an attacker with physical access to the device of any technical training.
Sergey Anufrienko, an expert at Kaspersky ICS CERT, explained that such vulnerabilities can be used to install malware that is difficult to detect and remove. According to him, such a compromise allows attackers to unnoticed to collect data or to influence the operation of the device for a long time. The usual reboot, as the expert noted, does not always help, since the compromised system can only imitate the restart without actual reboot. It is guaranteed to clean the condition of the device in such a situation only with a complete power outage, for example, after a full discharge of the battery.
Kaspersky Lab reported a hardware vulnerability in Qualcomm Snapdragon chipsets, which could lead to compromising devices and data leakage. The problem affects both custom and industrial devices, including smartphones, tablets, automotive components and IoT devices.
The vulnerability is in BootROM, the boot firmware built on the hardware level. The results of the study experts Kaspersky ICS CERT presented at the Black Hat Asia Conference 2026.
The attack requires physical access to the device. For successful compromise, the attacker needs to connect the device with a cable to its equipment, and in the case of modern smartphones, you may also need to transfer to a special mode. In some cases, even connecting to untrusted USB ports, such as charging stations at airports or hotels, may not be safe.
With a successful attack, attackers can potentially access the data stored on the device, as well as to components such as the camera and the microphone, implement complex attacks and in some cases gain full control over the device.
The vulnerability affects the Qualcomm chipsets of MDM9x07, MDM9x45, MDM9x65, MSM8909, MSM8916, MSM8952 and SDX50. Kaspersky Lab told the manufacturer about the problem in March 2025, and in April 2025, Qualcomm confirmed its presence. Vendor assigned the vulnerability identifier CVE-2026-25262. The researchers also noted that the chipsets of other manufacturers could be potentially vulnerable if they are based on Qualcomm chipsets of the listed series.
In the course of the study, experts studied the Qualcomm Sahara protocol, a low-level interaction system that is used when translating the device to the emergency load mode of EDL. This mode is used in the repair or flashing of devices. The Sahara protocol allows the computer to connect to the device and download the software before the operating system is launched.
The researchers demonstrated that the vulnerability during the boot process could allow an attacker to bypass key protection mechanisms, compromise the trust loading chain, and in some cases install malware or backdoors into the device application processor. Such an attack, in turn, can lead to complete compromising the device. If we are talking about a smartphone or tablet, the installed backdoor can give access to the user’s passwords, and then to files, contacts, location data, as well as a camera and a microphone.
Experts separately pointed to the risk of attacks on supply chains. A potential attacker needs a few minutes of physical access to the device to compromise it. For this reason, after repairing a smartphone or even after a few minutes without supervision, you can no longer be sure that the device is not infected. Risk, as the researchers note, is not limited to everyday situations. The new device may be infected before the purchase, if the disproplacement occurred at one stage of the supply chain.
The most difficult stage is the development of exploit. After that, the attack itself can be performed quickly enough and does not require from an attacker with physical access to the device of any technical training.
Sergey Anufrienko, an expert at Kaspersky ICS CERT, explained that such vulnerabilities can be used to install malware that is difficult to detect and remove. According to him, such a compromise allows attackers to unnoticed to collect data or to influence the operation of the device for a long time. The usual reboot, as the expert noted, does not always help, since the compromised system can only imitate the restart without actual reboot. It is guaranteed to clean the condition of the device in such a situation only with a complete power outage, for example, after a full discharge of the battery.
