Cyber Resilience

CVE-2025-21480

HighCISA KEVActive ExploitationEUVD Exploited

Published: 03 June 2025

Published
03 June 2025
Modified
28 October 2025
KEV Added
03 June 2025
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0200 84.0th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21480 is a high-severity Incorrect Authorization (CWE-863) vulnerability in Qualcomm Aqt1000 Firmware. Its CVSS base score is 8.6 (High).

Operationally, ranked in the top 16.0% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-16 (Memory Protection).

Deeper analysis

CVE-2025-21480 is a memory corruption vulnerability caused by unauthorized command execution in the GPU micronode when a specific sequence of commands is processed. The flaw, tracked under CWE-863, affects Qualcomm GPU components and carries a CVSS 3.1 score of 8.6 reflecting local attack vector, no privileges required, required user interaction, and changed scope with high impact on confidentiality, integrity, and availability.

An attacker with the ability to execute code or submit commands on an affected device can trigger the flaw to corrupt memory. Successful exploitation can allow the attacker to achieve elevated privileges or arbitrary code execution within the GPU context, potentially compromising the broader system due to the changed scope.

The Qualcomm June 2025 security bulletin provides patches addressing the issue, and the vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, confirming observed in-the-wild exploitation. The associated EPSS score has remained flat at 0.02 with no material increase since disclosure.

EU & UK References

Vulnerability details

Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.

CWE(s)
KEV Date Added
03 June 2025

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qualcomm
aqt1000 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6800 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qcm4490 firmware
all versions
qualcomm
qcs4490 firmware
all versions
qualcomm
sc8380xp firmware
all versions
+66 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks the unauthorized command sequences that trigger GPU micronode memory corruption by enforcing authorization before any command is accepted.

prevent

Applies memory-protection mechanisms that would stop the corruption resulting from the malicious command sequence in the GPU micronode.

prevent

Validates command input to reject malformed or unauthorized sequences before they reach the GPU micronode execution path.

References