PatchSiren cyber security CVE debrief
CVE-2025-71254 Unisoc CVE debrief
CVE-2025-71254 is a high-severity availability issue in Modem IMS. According to the official summary, improper input validation could let a remote attacker trigger denial of service without needing additional execution privileges. NVD published the record on 2026-05-06 and updated it on 2026-05-11.
- Vendor
- Unisoc
- Product
- CVE-2025-71254
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-06
- Original CVE updated
- 2026-05-11
- Advisory published
- 2026-05-06
- Advisory updated
- 2026-05-11
Who should care
Mobile OEMs, carrier operations teams, and security owners responsible for Unisoc-based Android devices or firmware that includes the affected Modem IMS component. Also relevant to patch-management teams tracking Android 13/14/15/16 device exposure in NVD.
Technical summary
The official record describes a network-reachable improper input validation problem in Modem IMS. The stated impact is remote denial of service, with CVSS 3.1 metrics of AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. NVD does not identify a specific CWE beyond NVD-CWE-noinfo. The supplied NVD metadata also includes a vendor advisory reference from Unisoc and CPE entries for Android 13 through 16, so applicability should be confirmed against the vendor bulletin and the device firmware matrix.
Defensive priority
High. The issue is remotely triggerable, requires no privileges or user interaction, and can interrupt service availability.
Recommended defensive actions
- Check the Unisoc vendor advisory and map the affected Modem IMS component to your device inventory.
- Prioritize firmware or vendor patch deployment for any exposed Android 13/14/15/16 devices that include the affected stack.
- Coordinate with OEM and carrier partners to confirm which product builds are in scope before remediation.
- Monitor for modem crashes, IMS service restarts, or unexplained loss of cellular service that may indicate impact.
- Reassess exposure after patching and validate that updated firmware versions are present across fleets.
Evidence notes
Based only on the supplied official corpus: NVD lists CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H and an official Unisoc vendor advisory reference. The description explicitly states remote denial of service from improper input validation in Modem IMS. NVD’s weakness field is NVD-CWE-noinfo, so the precise CWE is not specified in the source corpus. The NVD CPE set includes Android 13/14/15/16 vulnerable entries and several Unisoc chipset entries marked non-vulnerable, so device-level applicability should be validated against the vendor bulletin rather than assumed from model names alone.
Official resources
-
CVE-2025-71254 CVE record
CVE.org
-
CVE-2025-71254 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Vendor Advisory
Publicly disclosed in the official CVE/NVD record on 2026-05-06 and updated on 2026-05-11.