CVE Alert: CVE-2025-27060 – Qualcomm, Inc. – Snapdragon
CVE-2025-27060
Memory corruption while performing SCM call with malformed inputs.
AI Summary Analysis
Risk verdict
High risk of local memory corruption enabling control of the device; urgency depends on exploitation indicators, but the CVSS shows a high-impact, local-access flaw.
Why this matters
Exploitation could compromise confidentiality, integrity, and availability at the device level, with potential to pivot within a network or forward to connected endpoints. In networking/embedded deployments, an attacker with local access could disrupt service, exfiltrate data, or undermine trusted components.
Most likely attack path
An attacker with local access can trigger the SCM call with malformed inputs to induce memory corruption. The vulnerability uses low attack complexity and requires no user interaction, but scores with changed scope and high impact, implying possible escalation within the device after initial foothold. Precondition is physical/local proximity or prior access to a management/administrative surface.
Who is most exposed
Devices in embedded networking, gateway, or home/enterprise networking deployments that rely on the affected TZ/SCM components are most exposed, especially where local maintenance or debugging interfaces are accessible.
Detection ideas
- Crashes, kernel panics, or watchdog resets after local SCM activity.
- Logs showing SCM calls failing due to malformed inputs.
- Abnormal memory or privilege-related anomalies in trusted execution/firmware components.
- Frequent local access attempts to management interfaces without UI interaction.
- Unusual firmware crash dumps or secure monitor traces.
Mitigation and prioritisation
- Apply vendor-released TZ/SCM firmware updates addressing untrusted pointer dereference.
- Enforce strict physical access controls; minimise exposure of local management interfaces.
- Enable secure/verified boot, memory protections, and strict least-privilege for management processes.
- Coordinate patch rollout with testing and change-management; validate stability before broad deployment.
- If KEV is true or EPSS ≥ 0.5, treat as priority 1. Otherwise maintain high-priority remediation with close monitoring.
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on “Patreon” or “Buy Me A Coffee” using the buttons below
To keep up to date follow us on the below channels.
