Cyber Resilience

CVE-2025-47345

High

Published: 07 January 2026

Published
07 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 8.4 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0001 1.8th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47345 is a high-severity Reusing a Nonce, Key Pair in Encryption (CWE-323) vulnerability in Qualcomm Wcd9385 Firmware. Its CVSS base score is 8.4 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-28 (Protection of Information at Rest).

Deeper analysis

CVE-2025-47345 is a cryptographic vulnerability that may occur while encrypting license data in Qualcomm products. Published on 2026-01-07, it carries a CVSS v3.1 base score of 8.4 (AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N) and maps to CWE-323.

A local attacker with low privileges can exploit this issue with low attack complexity and no user interaction. Exploitation enables high impacts on confidentiality and integrity, with a scope change to high.

Qualcomm's January 2026 security bulletin details the vulnerability and associated mitigations at https://docs.qualcomm.com/product/publicresources/securitybulletin/january-2026-bulletin.html.

EU & UK References

Vulnerability details

Cryptographic issue may occur while encrypting license data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local crypto flaw (nonce/key reuse) in license encryption yields scope-changing high C/I impact from low privs, enabling exploitation for privilege escalation.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47346Same product: Qualcomm Ar8035
CVE-2025-47339Same product: Qualcomm Ar8035
CVE-2024-45584Same product: Qualcomm Ar8035
CVE-2025-47348Same product: Qualcomm Ar8035
CVE-2024-45553Same product: Qualcomm Ar8035
CVE-2025-47377Same product: Qualcomm Ar8035
CVE-2024-49833Same product: Qualcomm Fastconnect 6700
CVE-2025-47389Same product: Qualcomm Ar8035
CVE-2025-47373Same product: Qualcomm Ar8035
CVE-2024-53023Same product: Qualcomm Ar8035

Affected Assets

qualcomm
wcd9385 firmware
all versions
qualcomm
wcd9390 firmware
all versions
qualcomm
wcd9395 firmware
all versions
qualcomm
wcn3950 firmware
all versions
qualcomm
wcn3988 firmware
all versions
qualcomm
wcn6650 firmware
all versions
qualcomm
wcn6755 firmware
all versions
qualcomm
wcn7750 firmware
all versions
qualcomm
wcn7860 firmware
all versions
qualcomm
wcn7861 firmware
all versions
+95 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires identification, reporting, and correction of the specific cryptographic flaw in license data encryption, preventing exploitation of CVE-2025-47345.

prevent

Mandates implementation of appropriate cryptographic mechanisms to protect license data confidentiality and integrity against the vulnerability during encryption.

prevent

Requires cryptographic protection of information at rest, including license data, to comprehensively mitigate confidentiality and integrity impacts from the encryption flaw.

References