Cyber Resilience

CVE-2025-47383

High

Published: 02 March 2026

Published
02 March 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0002 5.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-47383 is a high-severity Missing Cryptographic Step (CWE-325) vulnerability in Qualcomm 5G Fixed Wireless Access Platform Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2025-47383 is a vulnerability in which weak configuration may lead to a cryptographic issue when a VoWiFi call is triggered from user equipment (UE). It is associated with CWE-325 (Missing Required Cryptographic Step) and affects Qualcomm components, as documented in their security bulletin. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, high confidentiality/integrity/availability impact, and unchanged scope.

An attacker with high privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), stemming from the cryptographic failure triggered by VoWiFi call initiation from the UE.

Qualcomm's March 2026 security bulletin provides details on the issue, including advisories and patches for mitigation, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html. The CVE was published on 2026-03-02T17:16:26.383.

EU & UK References

Vulnerability details

Weak configuration may lead to cryptographic issue when a VoWiFi call is triggered from UE.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47392Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2026-21385Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2025-47379Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2025-47386Same product: Qualcomm Ar8035
CVE-2025-47376Same product: Qualcomm Ar8035
CVE-2025-47375Same product: Qualcomm Ar8035
CVE-2026-24091Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2026-24085Same product: Qualcomm 5G Fixed Wireless Access Platform
CVE-2025-59604Same product: Qualcomm Ar8035
CVE-2025-47348Same product: Qualcomm Aqt1000

Affected Assets

qualcomm
5g fixed wireless access platform firmware
all versions
qualcomm
9206 lte modem firmware
all versions
qualcomm
9207 lte modem firmware
all versions
qualcomm
apq8098 firmware
all versions
qualcomm
aqt1000 firmware
all versions
qualcomm
qca8337 firmware
all versions
qualcomm
qca9367 firmware
all versions
qualcomm
qca9377 firmware
all versions
qualcomm
qcc710 firmware
all versions
qualcomm
qcm2290 firmware
all versions
+196 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires cryptographic protection mechanisms, addressing the missing cryptographic step (CWE-325) that occurs during VoWiFi call initiation.

prevent

Enforces approved secure configuration settings, directly mitigating the weak configuration root cause that enables the cryptographic failure.

prevent

Requires protection of wireless links against signal and data compromise, covering the VoWiFi-specific wireless vector used to trigger the flaw.

References