PatchSiren cyber security CVE debrief

CVE-2025-21479 Qualcomm CVE debrief

CVE-2025-21479 is a Qualcomm incorrect authorization vulnerability affecting multiple chipsets. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on 2025-06-03, so organizations that rely on Qualcomm-based hardware should treat it as urgent and follow vendor mitigation guidance as soon as possible.

Vendor: Qualcomm
Product: Multiple Chipsets
CVSS: Unknown
CISA KEV: Listed
Original CVE published: 2025-06-03
Original CVE updated: 2025-06-03
Advisory published: 2025-06-03
Advisory updated: 2025-06-03

Who should care

Asset owners, OEMs, device fleet operators, and security teams responsible for Qualcomm-based products or systems that include Qualcomm chipsets should prioritize this issue, especially where patching or mitigation must be coordinated through a device vendor.

Technical summary

The public record identifies CVE-2025-21479 as an incorrect authorization vulnerability in Qualcomm multiple chipsets. The available official sources do not provide deeper technical details in the supplied corpus, but CISA’s KEV listing indicates the issue is significant enough to require prompt action. The KEV entry also points readers to Qualcomm’s June 2025 security bulletin and the NVD record for additional vendor and database context.

Defensive priority

High. CISA has placed this CVE in the KEV catalog, and the KEV due date is 2025-06-24. Treat mitigation or patch deployment as urgent, particularly for exposed or hard-to-update Qualcomm-based devices.

Recommended defensive actions

Review Qualcomm’s June 2025 security bulletin for product-specific remediation guidance.
Check with the relevant device OEM or chipset vendor for patch availability and deployment instructions.
Apply vendor mitigations as soon as they are available; if mitigations are unavailable, follow CISA’s guidance to discontinue use of the product where feasible.
Inventory Qualcomm-based assets to identify affected devices and prioritize those exposed to untrusted inputs or network access.
Track remediation progress against the KEV due date of 2025-06-24 and escalate any exceptions.

Evidence notes

CISA’s Known Exploited Vulnerabilities catalog entry names the issue as “Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability,” lists Qualcomm as the vendor project, and gives a due date of 2025-06-24. The KEV metadata also references Qualcomm’s June 2025 security bulletin and the NVD record. The supplied corpus does not include the bulletin text or NVD details, so no further technical specifics are asserted here.

Official resources

CVE-2025-21479 CVE record
CVE.org
CVE-2025-21479 NVD detail
NVD
CISA Known Exploited Vulnerabilities catalog
CISA - Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Source item URL
cisa_kev

Publicly listed by CISA in the Known Exploited Vulnerabilities catalog on 2025-06-03. CISA’s entry references Qualcomm’s June 2025 bulletin and the NVD record for follow-up.