Qualcomm Patches Actively Exploited Zero-Day Vulnerabilities in Phone Chips
Qualcomm has addressed several vulnerabilities in its chips, including three zero-day flaws that were potentially exploited in hacking campaigns. Patches were released on Monday to mitigate these issues across numerous chipsets. These vulnerabilities were brought to Qualcomm’s attention by Google’s Threat Analysis Group (TAG), which tracks government-backed cyber activities.
According to Qualcomm’s security bulletin, TAG reported the three zero-day vulnerabilities (CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038) in February. Zero-day vulnerabilities are particularly dangerous because they are unknown to the vendor at the time of discovery, making them highly prized by cybercriminals and state-sponsored hackers.
The risk stems from the fact that these vulnerabilities are present in widely used chipsets found in numerous Android devices. Once a zero-day is discovered, it can be used to gain unauthorized access to devices, steal data, or even install malware. The fact that these vulnerabilities were already being exploited makes this a high-priority security concern.
Now that Qualcomm has released the patches, it is up to device manufacturers to integrate and deploy these updates to their users. This process can take time due to the fragmented nature of the Android ecosystem. Consequently, many devices may remain vulnerable for weeks until updates are available and installed.
Qualcomm stated that the patches were made available to device manufacturers in May and strongly recommended prompt deployment of the updates to affected devices. Google spokesperson Ed Fernandez confirmed that Google’s Pixel devices are not affected by these specific Qualcomm vulnerabilities.
Chipsets in mobile devices are attractive targets because they often have broad access to the operating system. This access allows attackers to potentially move to other sensitive areas of the device once a vulnerability is exploited. There have been previous instances where Qualcomm chipsets were targeted, including a case where Serbian authorities exploited a zero-day using Cellebrite to plant spyware on a journalist’s phone, as reported by Amnesty International last year.
“We encourage end users to apply security updates as they become available from device makers,” said Qualcomm spokesperson Dave Schefcik, highlighting the importance of user vigilance in maintaining device security.
For further information or to report related findings, Lorenzo Franceschi-Bicchierai can be contacted securely via Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email.
