Kaspersky ICS CERT has officially disclosed a severe, hardware-level vulnerability affecting a massive range of Qualcomm Snapdragon chipsets. Publicly presented at the Black Hat Asia 2026 conference on April 23, this exploit—tracked as CVE-2026-25262—has sent ripples through the tech community. Originally confirmed by Qualcomm in April 2025, the details are now fully public, revealing a dangerous backdoor that can lead to catastrophic data loss and complete device compromise.
The Sahara Protocol and BootROM Exploitation
The vulnerability resides deep within the BootROM—the very first piece of firmware that executes at the hardware level when a device powers on. Because this code is hardcoded into the silicon, it is notoriously difficult, if not impossible, to patch via standard Over-The-Air (OTA) software updates.
Security researchers found a critical flaw in Qualcomm’s communication over the Sahara protocol. For those familiar with deep-level device flashing, the Sahara protocol is the low-level communication system utilized during Emergency Download (EDL) mode. It is designed to load essential software before the main operating system even boots.
By exploiting this flaw, attackers who gain brief physical access to a device (often just a few minutes) can completely bypass secure boot chain protections. Once compromised, the application processor is breached, allowing the attacker to:
-
Deploy malicious, persistent backdoors.
-
Extract highly sensitive user data, including passwords, files, contacts, and live location.
-
Hijack device sensors, opening the door for active camera and microphone surveillance without the user’s knowledge.
What makes this particularly insidious is the malware’s ability to simulate a fake system reboot to deceive the user. Experts warn that the malicious code is incredibly difficult to detect, and in some instances, completely removing the threat requires entirely depleting the device’s battery to clear the volatile memory.
Affected Chipsets and Devices
While modern flagship processors like the Snapdragon 8 Elite feature significantly hardened security architectures, this vulnerability severely impacts widely distributed legacy and mid-range components.
Vulnerable Qualcomm Chipsets:
-
MSM8916 (Snapdragon 410) (Xiaomi REDMI 2)
- SDX50 (Xiaomi Mi MIX 3 5G and Mi 9 Pro 5G)
-
MDM9x07
-
MDM9x45 (Xiaomi Mi 5, Mi 5s, Mi 5s Plus, Mi Note 2, Mi MIX)
-
MDM9x65
-
MSM8909
- MSM8952
Real-World Threats
While the necessity for physical access mitigates the risk of a remote, mass-scale cyberattack, the danger to the supply chain, equipment maintenance logistics, and targeted individuals is immense. An infected device essentially becomes a fully compromised surveillance tool. Because this targets hardware used in everything from consumer REDMI phones to industrial IoT systems, the scope of the threat is vast.
