Cyber Resilience

CVE-2026-25293

Critical

Published: 04 May 2026

Published
04 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score v3.1 9.6 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0018 7.9th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-25293 is a critical-severity Incorrect Authorization (CWE-863) vulnerability in Qualcomm Qca7005 Firmware. Its CVSS base score is 9.6 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 7.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25293 is a buffer overflow vulnerability caused by incorrect authorization, mapped to CWE-863, affecting PLC firmware. Published on 2026-05-04, it carries a CVSS v3.1 base score of 9.6, indicating critical severity.

An unauthenticated attacker on an adjacent network can exploit the vulnerability with low attack complexity and no user interaction required. Exploitation grants high impacts across confidentiality, integrity, and availability, with a changed scope that enables severe compromise such as arbitrary code execution on the affected PLC firmware.

Qualcomm's May 2026 security bulletin, available at https://docs.qualcomm.com/product/publicresources/securitybulletin/may-2026-bulletin.html, details mitigation strategies and available patches for addressing this issue.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Buffer overflow due to incorrect authorization in PLC FW

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Buffer overflow with missing authorization in network-exposed PLC firmware directly enables remote unauthenticated RCE from an adjacent network, matching the definition and examples of T1210 Exploitation of Remote Services.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-28466Shared CWE-863
CVE-2025-21450Same vendor: Qualcomm
CVE-2025-47398Same vendor: Qualcomm
CVE-2025-47393Same vendor: Qualcomm
CVE-2024-53031Same vendor: Qualcomm
CVE-2025-47400Same vendor: Qualcomm
CVE-2026-21367Same vendor: Qualcomm
CVE-2024-45584Same vendor: Qualcomm
CVE-2025-47343Same vendor: Qualcomm
CVE-2024-38412Same vendor: Qualcomm

Affected Assets

qualcomm
qca7005 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the buffer overflow vulnerability in PLC firmware by applying vendor patches as specified in Qualcomm's security bulletin.

prevent

Validates information inputs to prevent buffer overflows triggered by unauthenticated requests due to incorrect authorization.

prevent

Enforces approved authorizations to mitigate exploitation arising from incorrect authorization logic in the PLC firmware.

References