PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-21480 Qualcomm CVE debrief

CVE-2025-21480 is a Qualcomm incorrect authorization vulnerability affecting multiple chipsets. CISA added it to the Known Exploited Vulnerabilities catalog on 2025-06-03, which makes this a high-priority remediation item for organizations that rely on Qualcomm-based devices or platforms. Because the supplied record does not include a CVSS score, use the KEV listing, vendor guidance, and OEM patch status to drive response timing.

Vendor
Qualcomm
Product
Multiple Chipsets
CVSS
Unknown
CISA KEV
Listed
Original CVE published
2025-06-03
Original CVE updated
2025-06-03
Advisory published
2025-06-03
Advisory updated
2025-06-03

Who should care

Security and device-management teams responsible for Qualcomm-based hardware, OEM platform owners, and any organization that depends on products built on Qualcomm multiple-chipset components. If you operate fleets where vendor patch availability varies by OEM, coordinate directly with the device vendor as soon as possible.

Technical summary

The source corpus describes the issue only as an incorrect authorization vulnerability in Qualcomm multiple chipsets. An incorrect authorization flaw generally means a component fails to properly enforce access controls, which can allow actions or access that should be denied. The provided evidence does not include exploit mechanics, affected firmware versions, or impact details, so remediation should follow Qualcomm’s June 2025 security bulletin and the relevant OEM instructions.

Defensive priority

Urgent. CISA KEV inclusion indicates known exploitation, so this should be treated as a time-sensitive remediation item with attention to the 2025-06-24 due date.

Recommended defensive actions

  • Review Qualcomm’s June 2025 security bulletin and any OEM-specific advisories for affected chipset models and patch availability.
  • Apply vendor-provided mitigations or updates as soon as they are available.
  • If mitigations are unavailable, follow CISA guidance to discontinue use of the product where feasible.
  • Prioritize remediation before the CISA KEV due date of 2025-06-24.
  • Confirm exposure across device inventories that include Qualcomm-based hardware and track OEM patch status separately from Qualcomm’s bulletin.
  • Validate that compensating controls, if used, are actually enforceable on the affected devices.

Evidence notes

Evidence is limited to the CISA KEV entry and official CVE/NVD references supplied in the corpus. CISA’s KEV metadata identifies the issue as 'Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability,' with dateAdded 2025-06-03 and dueDate 2025-06-24. The CISA record explicitly advises applying mitigations per vendor instructions, following applicable BOD 22-01 guidance for cloud services, or discontinuing use if mitigations are unavailable. The KEV notes also point to Qualcomm’s June 2025 security bulletin: https://docs.qualcomm.com/product/publicresources/securitybulletin/june-2025-bulletin.html

Official resources

CVE published and modified on 2025-06-03 in the supplied record. This debrief was prepared from the supplied KEV and official reference metadata only; no unsupported exploit or impact details were inferred.