Cyber Posture

CVE-2025-21450

Critical

Published: 08 July 2025

Published
08 July 2025
Modified
11 August 2025
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0020 42.0th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21450 is a critical-severity Improper Authentication (CWE-287) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-8 Transmission Confidentiality and Integrity good match
prevent

Mandates cryptographic mechanisms to protect confidentiality and integrity of transmitted information, directly countering the insecure connection method exploited during downloads.

SC-13 Cryptographic Protection good match
prevent

Requires implementation of cryptographic protections compliant with defined requirements, addressing the core cryptographic vulnerability in download processes.

SC-12 Cryptographic Key Establishment and Management partial match
prevent

Establishes and manages cryptographic keys necessary for secure connections, mitigating risks from improper key handling in insecure download methods.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1557 Adversary-in-the-Middle Credential Access
Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.
attack.mitre.org →
Why these techniques?

Insecure download connection with improper authentication (CWE-287/863) enables remote network attackers to access/modify data, directly facilitating public-facing application exploitation and adversary-in-the-middle attacks on transmitted content.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Cryptographic issue occurs due to use of insecure connection method while downloading.

Deeper analysisAI

CVE-2025-21450 is a cryptographic vulnerability caused by the use of an insecure connection method during downloads. It affects Qualcomm products, as outlined in the vendor's security bulletin. The vulnerability carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and maps to CWE-287 (Improper Authentication) and CWE-863 (Incorrect Authorization). It was published on 2025-07-08.

Remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation enables high-impact violations of confidentiality and integrity, such as unauthorized access to or modification of downloaded data.

Mitigation details, including affected products and patches, are provided in the Qualcomm July 2025 Security Bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html.

Details

CWE(s)
CWE-287CWE-863

Affected Products

qualcomm
ar8035 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
wcd9378 firmware
all versions
qualcomm
wcd9380 firmware
all versions
qualcomm
wcd9385 firmware
all versions
qualcomm
wcd9390 firmware
all versions
qualcomm
wcd9395 firmware
all versions
+98 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2024-49838Same product: Qualcomm Ar8035
CVE-2024-49839Same product: Qualcomm Ar8035
CVE-2025-21427Same product: Qualcomm Fastconnect 6200
CVE-2025-47366Same product: Qualcomm Ar8035
CVE-2024-45584Same product: Qualcomm Ar8035
CVE-2024-49834Same product: Qualcomm Fastconnect 6200
CVE-2025-47345Same product: Qualcomm Ar8035
CVE-2024-45553Same product: Qualcomm Ar8035
CVE-2025-47346Same product: Qualcomm Ar8035
CVE-2025-47392Same product: Qualcomm Ar8035

References