CVE-2025-31715
Published: 18 August 2025
Summary
CVE-2025-31715 is a critical-severity an unspecified weakness vulnerability in Unisoc (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 23.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-31715 is a command injection vulnerability in the VoWiFi service stemming from improper input validation. This flaw affects the VoWiFi service component, as disclosed by Unisoc, a chipset vendor whose products are commonly integrated into mobile devices supporting Voice over WiFi functionality.
The vulnerability enables remote exploitation over the network (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). A successful attack leads to escalation of privilege without additional execution privileges needed, resulting in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS v3.1 base score of 9.8.
Unisoc has published a security announcement regarding CVE-2025-31715 at https://www.unisoc.com/en_us/secy/announcementDetail/1944933773300793346, which security practitioners should consult for details on affected versions, patches, or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-25107
Vulnerability details
In vowifi service, there is a possible command injection due to improper input validation. This could lead to remote escalation of privilege with no additional execution privileges needed.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in network-accessible VoWiFi service directly enables remote exploitation of public-facing apps (T1190) and results in unauthenticated privilege escalation (T1068).
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates information input validation and error handling at input points to prevent command injection vulnerabilities like CVE-2025-31715.
Requires timely identification, reporting, and correction of system flaws, enabling patching of the specific command injection vulnerability in the VoWiFi service.
Enforces information input restrictions at system boundaries, complementing validation to block malformed inputs that could lead to command injection in the VoWiFi service.