Cyber Posture

CVE-2025-47366

High

Published: 02 February 2026

Published
02 February 2026
Modified
11 February 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0001 0.3th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47366 is a high-severity Exposed Dangerous Method or Function (CWE-749) vulnerability in Qualcomm Ar8035 Firmware. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique.
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-7 Least Functionality
addresses: CWE-749

Explicitly prohibiting dangerous or unnecessary functions and services prevents exposure of methods that could be directly exploited.

SC-25 Thin Nodes
addresses: CWE-749

Minimal functionality removes or avoids exposure of dangerous methods and functions.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1212 Exploitation for Credential Access Credential Access
Adversaries may exploit software vulnerabilities in an attempt to collect credentials.
attack.mitre.org →
Why these techniques?

Local low-priv exploit of exposed dangerous function in Qualcomm TrustZone/TEE directly enables privilege escalation (T1068) and credential/sensitive data access (T1212) with high confidentiality/integrity impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input.

Deeper analysisAI

CVE-2025-47366 is a cryptographic vulnerability affecting Qualcomm components, specifically arising in a Trusted Zone with outdated code that is triggered by a High-Level Operating System (HLOS) providing incorrect input. Assigned a CVSS v3.1 base score of 7.1 (High), it maps to CWE-749 (Exposed Dangerous Method or Function) and includes NVD-CWE-noinfo. The issue was published on 2026-02-02.

A local attacker with low privileges can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation enables high-impact confidentiality and integrity violations, such as unauthorized access to or modification of sensitive data, while availability remains unaffected and scope is unchanged.

Qualcomm's February 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html provides further details on affected products and recommended mitigations or patches.

Details

CWE(s)
CWE-749NVD-CWE-noinfo

Affected Products

qualcomm
ar8035 firmware
all versions
qualcomm
fastconnect 6200 firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
qdx1011 firmware
all versions
qualcomm
qep8111 firmware
all versions
qualcomm
qfw7114 firmware
all versions
qualcomm
qfw7124 firmware
all versions
qualcomm
qmp1000 firmware
all versions
+149 more product configuration(s) — see NVD for full list

CVEs Like This One

CVE-2025-47346Same product: Qualcomm Ar8035
CVE-2025-47345Same product: Qualcomm Ar8035
CVE-2025-47397Same product: Qualcomm Fastconnect 6200
CVE-2025-47348Same product: Qualcomm Ar8035
CVE-2025-47398Same product: Qualcomm Fastconnect 6200
CVE-2026-24082Same product: Qualcomm Ar8035
CVE-2024-53024Same product: Qualcomm Ar8035
CVE-2024-49834Same product: Qualcomm Fastconnect 6200
CVE-2024-53023Same product: Qualcomm Ar8035
CVE-2024-45553Same product: Qualcomm Ar8035

References