CVE-2025-47383
Published: 02 March 2026
Summary
CVE-2025-47383 is a high-severity Missing Cryptographic Step (CWE-325) vulnerability in Qualcomm 5G Fixed Wireless Access Platform Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked at the 5.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2025-47383 is a vulnerability in which weak configuration may lead to a cryptographic issue when a VoWiFi call is triggered from user equipment (UE). It is associated with CWE-325 (Missing Required Cryptographic Step) and affects Qualcomm components, as documented in their security bulletin. The vulnerability received a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to network accessibility, low attack complexity, high confidentiality/integrity/availability impact, and unchanged scope.
An attacker with high privileges (PR:H) can exploit this vulnerability over the network (AV:N) with low complexity (AC:L) and without requiring user interaction (UI:N). Successful exploitation could result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), stemming from the cryptographic failure triggered by VoWiFi call initiation from the UE.
Qualcomm's March 2026 security bulletin provides details on the issue, including advisories and patches for mitigation, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2026-bulletin.html. The CVE was published on 2026-03-02T17:16:26.383.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-208190
Vulnerability details
Weak configuration may lead to cryptographic issue when a VoWiFi call is triggered from UE.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires cryptographic protection mechanisms, addressing the missing cryptographic step (CWE-325) that occurs during VoWiFi call initiation.
Enforces approved secure configuration settings, directly mitigating the weak configuration root cause that enables the cryptographic failure.
Requires protection of wireless links against signal and data compromise, covering the VoWiFi-specific wireless vector used to trigger the flaw.