Pierluigi Paganini
June 04, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added multiple Qualcomm chipsets flaws to its Known Exploited Vulnerabilities (KEV) catalog.
This week, Qualcomm addressed the above zero-day vulnerabilities that, according to the company, have been exploited in limited, targeted attacks in the wild.
Google Android Security team reported the three issues to the company.
“There are indications from Google Threat Analysis Group that CVE-2025-21479, CVE-2025-21480, CVE-2025-27038 may be under limited, targeted exploitation.” reads the report published by the vendor. “Patches for the issues affecting the Adreno Graphics Processing Unit (GPU) driver have been made available to OEMs in May together with a strong recommendation to deploy the update on affected devices as soon as possible.”
Below are the descriptions of these vulnerabilities:
The company did not share details about the attacks exploiting the three vulnerabilities.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by June 24, 2025.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
