CVE-2025-21450
Published: 08 July 2025
Summary
CVE-2025-21450 is a critical-severity Improper Authentication (CWE-287) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-21450 is a cryptographic vulnerability caused by the use of an insecure connection method during downloads. It affects Qualcomm products, as outlined in the vendor's security bulletin. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization). It was published on 2025-07-08.
Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation enables high-impact violations of confidentiality and integrity, such as unauthorized access to or modification of downloaded data.
Mitigation details, including affected products and patches, are provided in the Qualcomm July 2025 Security Bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-20485
Vulnerability details
Cryptographic issue occurs due to use of insecure connection method while downloading.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Insecure download connection with improper authentication (CWE-287/863) enables remote network attackers to access/modify data, directly facilitating public-facing application exploitation and adversary-in-the-middle attacks on transmitted content.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Mandates cryptographic mechanisms to protect confidentiality and integrity of transmitted information, directly countering the insecure connection method exploited during downloads.
Requires implementation of cryptographic protections compliant with defined requirements, addressing the core cryptographic vulnerability in download processes.
Establishes and manages cryptographic keys necessary for secure connections, mitigating risks from improper key handling in insecure download methods.