CVE-2025-47378
Published: 02 March 2026
Summary
CVE-2025-47378 is a high-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Qualcomm Cologne Firmware. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 2.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-4 (Information in Shared System Resources).
Deeper analysis
CVE-2025-47378 is a cryptographic vulnerability stemming from a shared virtual machine (VM) reference that enables the High-Level Operating System (HLOS) to access the bootloader and certificate chain. It affects Qualcomm components, as detailed in their security advisories, and is classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The issue received a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N), indicating high severity due to its potential for unauthorized access to sensitive cryptographic elements.
A local attacker with low privileges can exploit this vulnerability through low-complexity means without requiring user interaction. Successful exploitation allows high-impact confidentiality and integrity violations, such as reading sensitive certificate chain data or tampering with boot processes, while availability remains unaffected due to the unchanged scope.
Qualcomm's March 2026 security bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html provides further details on affected products, patches, and mitigation recommendations for this CVE.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208187
Vulnerability details
Cryptographic Issue when a shared VM reference allows HLOS to boot loader and access cert chain.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local exposure of bootloader/cert chain data directly enables T1005 for sensitive data access and facilitates T1542.001 for boot process tampering.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents exposure of the certificate chain and bootloader by ensuring sensitive data is not accessible through shared VM references between HLOS and lower-level components.
Enforces access control policies that would block the HLOS from reaching the bootloader and certificate chain despite the shared reference.
Provides process isolation that limits the impact of a shared VM reference, reducing the ability of HLOS to access protected cryptographic material.