The rapid evolution of cyber threats continues to challenge organizations worldwide, with government agencies and private enterprises scrambling to keep pace. In a recent update, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) underscored just how urgent this cyber landscape has become, announcing the addition of three newly exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog. This curated list, driven by Binding Operational Directive (BOD) 22-01, serves as an alarm bell for critical software flaws that cybercriminals are actively targeting. The inclusion of these vulnerabilities does not merely reflect abstract risk; it signals real and present danger, amplifying the call for immediate remediation not just across federal networks, but for every organization that manages sensitive data or critical infrastructure.
CVE-2025-27038, in contrast, describes a use-after-free (UAF) flaw—a memory management error wherein the software continues to use a memory space after it has been released. In practice, use-after-free vulnerabilities frequently lead to serious consequences: data leaks, code execution, or system crashes. Their presence in chipset firmware, especially in a widely deployed silicon provider like Qualcomm, implies that countless mobile devices are at risk.
Separate research and enhanced scanning of vulnerability disclosures confirm that these three CVEs remain highly relevant in today’s environment, with both security advisories and exploit-tracking databases sounding the alarm about active exploits in the wild.
With attackers increasingly shifting their tactics to target hardware-level flaws—where detection and remediation are often slower—such vulnerabilities in chipsets are particularly insidious. Hardware vulnerabilities tend to persist longer in the environment, especially if they require firmware updates that are slow to materialize or difficult to distribute. For device manufacturers, carriers, and enterprise IT teams, patching these flaws can become a logistical nightmare, sometimes demanding coordination across multiple vendors and user bases.
The directive is not merely a compliance checklist. It represents a recognition that patch backlogs, asset sprawl, and alert fatigue have left enterprises dangerously exposed. By requiring prioritized remediation of KEV-listed CVEs, BOD 22-01 seeks to break the attacker’s current playbook—one that so often exploits well-known, widely documented vulnerabilities for weeks or months after they become public.
CISA’s approach is dynamic. New vulnerabilities are added frequently as real-world evidence of exploitation emerges. The KEV Catalog, therefore, functions as a living threat matrix: protecting government infrastructure, but just as importantly, serving as a bellwether for the private sector on what requires urgent action.
This stance is bolstered by a growing collection of breach post-mortems: studies repeatedly show that the overwhelming majority of successful intrusions hinge not on zero-days, but on unpatched, widely known vulnerabilities. In essence, the KEV Catalog, originally crafted for government, is now a de facto gold standard for prioritized patching among Fortune 500s, SMEs, and managed service providers.
For Qualcomm, which supplies both the application processor and the baseband (cellular modem) components in its SoCs (system-on-chips), such a flaw can span from the OS kernel to radio firmware, amplifying the attack surface. In the worst-case scenario, exploitation might allow one app or process to break out of sandboxing, read or write private data, eavesdrop on communications, or install persistent surveillance tools.
Historical precedents, such as the infamous "QuadRooter" family of vulnerabilities, illustrate just how damaging such chipset-level flaws can be. Following their disclosure, security researchers demonstrated remote rooting of affected devices via malicious apps that abused similar authorization oversights.
Bringing these bugs down to the chipset level significantly raises the stakes. Attackers might be able to execute code in privileged execution contexts, manipulate low-level radio controls, or corrupt sensitive system data. Unlike software-only UAFs, those in firmware or drivers often escape commercial endpoint protections, requiring highly targeted and timely patches from manufacturers.
Despite advances in chip-level security (e.g., Trusted Execution Environments, memory tagging extensions), patching firmware on end devices often lags far behind public disclosure—particularly in fragmented Android and IoT ecosystems.
Yet, even in 2025, device fragmentation (driven by multiple Android forks, regional ODMs, and carrier branding) ensures that not every end user receives critical firmware updates in a timely manner. Security-conscious consumers are advised to seek manufacturers with robust security pledges—such as those covering multi-year firmware updates—and to proactively monitor for patches.
Organizations, especially those in regulated sectors or with large mobile fleets, must consider supplemental mitigations: mobile device management (MDM) controls, application allowlisting, and network traffic monitoring for attempted exploitation of known chipset bugs. The risk calculus is particularly acute for government contractors, journalists, and executives whose devices are likely targets for advanced threats.
CISA’s catalog is an indispensable compass, but it is only as effective as the speed and coverage with which organizations can act upon its guidance. Device manufacturers, software vendors, and policymakers must continue to close the patch gap, investing in transparent security communication and robust support lifecycles.
Ultimately, the greatest strength of the KEV initiative lies not just in the technology or lists it curates, but in the culture of urgency and shared responsibility it fosters. As adversaries grow ever more sophisticated, it is collaboration across sectors—and an ironclad commitment to security hygiene—that will decide whether tomorrow’s headlines are stories of compromise or of resilience.
Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
Dissecting the Latest Entries in CISA’s KEV Catalog
The Newly Added Vulnerabilities
The three vulnerabilities highlighted by CISA on June 3, 2025, specifically target Qualcomm chipsets—a technology backbone for a vast array of smartphones, IoT devices, and enterprise embedded systems. Here’s a breakdown:- CVE-2025-21479: Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
- CVE-2025-21480: Qualcomm Multiple Chipsets Incorrect Authorization Vulnerability
- CVE-2025-27038: Qualcomm Multiple Chipsets Use-After-Free Vulnerability
CVE-2025-27038, in contrast, describes a use-after-free (UAF) flaw—a memory management error wherein the software continues to use a memory space after it has been released. In practice, use-after-free vulnerabilities frequently lead to serious consequences: data leaks, code execution, or system crashes. Their presence in chipset firmware, especially in a widely deployed silicon provider like Qualcomm, implies that countless mobile devices are at risk.
Separate research and enhanced scanning of vulnerability disclosures confirm that these three CVEs remain highly relevant in today’s environment, with both security advisories and exploit-tracking databases sounding the alarm about active exploits in the wild.
Why Qualcomm Chipsets are a Prime Target
Qualcomm's dominance within the smartphone and IoT ecosystem cannot be understated. In 2024, roughly 40% of new smartphones shipped globally contained Qualcomm silicon, and its Snapdragon platforms maintain a presence across flagship, mid-tier, and budget devices. Additionally, Qualcomm’s chips power various automotive systems, industrial IoT sensors, and countless consumer gadgets.With attackers increasingly shifting their tactics to target hardware-level flaws—where detection and remediation are often slower—such vulnerabilities in chipsets are particularly insidious. Hardware vulnerabilities tend to persist longer in the environment, especially if they require firmware updates that are slow to materialize or difficult to distribute. For device manufacturers, carriers, and enterprise IT teams, patching these flaws can become a logistical nightmare, sometimes demanding coordination across multiple vendors and user bases.
The CISA KEV Catalog: More Than Just a List
The Purpose and Evolution of the Catalog
CISA’s KEV Catalog was established in line with BOD 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities. Enacted in late 2021, this directive mandates that Federal Civilian Executive Branch (FCEB) agencies continuously monitor their assets and, crucially, remediate any vulnerability catalogued as actively exploited by a firm deadline.The directive is not merely a compliance checklist. It represents a recognition that patch backlogs, asset sprawl, and alert fatigue have left enterprises dangerously exposed. By requiring prioritized remediation of KEV-listed CVEs, BOD 22-01 seeks to break the attacker’s current playbook—one that so often exploits well-known, widely documented vulnerabilities for weeks or months after they become public.
CISA’s approach is dynamic. New vulnerabilities are added frequently as real-world evidence of exploitation emerges. The KEV Catalog, therefore, functions as a living threat matrix: protecting government infrastructure, but just as importantly, serving as a bellwether for the private sector on what requires urgent action.
The Broader Mandate: Relevance Beyond Federal Agencies
While BOD 22-01 formally applies only to FCEB agencies, CISA’s messaging—and the practical realities of cyber risk—make it clear that every organization should be watching this catalog. As CISA stresses with each update, the vulnerabilities listed are frequent attack vectors for malicious cyber actors and pose significant risks across all enterprise environments.This stance is bolstered by a growing collection of breach post-mortems: studies repeatedly show that the overwhelming majority of successful intrusions hinge not on zero-days, but on unpatched, widely known vulnerabilities. In essence, the KEV Catalog, originally crafted for government, is now a de facto gold standard for prioritized patching among Fortune 500s, SMEs, and managed service providers.
Technical Deep Dive: Chipset Vulnerabilities Explained
Incorrect Authorization Vulnerabilities
Authorization vulnerabilities occur when a system fails to properly check whether a user or process has the rights to access or modify a given resource. In the context of mobile chipsets, improper authorization checks could potentially allow malicious apps—or even more insidious, remote attackers using crafted packets—to gain system-level privileges.For Qualcomm, which supplies both the application processor and the baseband (cellular modem) components in its SoCs (system-on-chips), such a flaw can span from the OS kernel to radio firmware, amplifying the attack surface. In the worst-case scenario, exploitation might allow one app or process to break out of sandboxing, read or write private data, eavesdrop on communications, or install persistent surveillance tools.
Historical precedents, such as the infamous "QuadRooter" family of vulnerabilities, illustrate just how damaging such chipset-level flaws can be. Following their disclosure, security researchers demonstrated remote rooting of affected devices via malicious apps that abused similar authorization oversights.
Use-After-Free in Embedded Systems
Use-after-free (UAF) vulnerabilities are equally worrisome. These memory corruption bugs arise when references to previously freed memory are still accessible, leading to potentially arbitrary code execution. In desktop applications, web browsers, or operating systems, UAFs are among the most frequently exploited weaknesses by advanced attackers.Bringing these bugs down to the chipset level significantly raises the stakes. Attackers might be able to execute code in privileged execution contexts, manipulate low-level radio controls, or corrupt sensitive system data. Unlike software-only UAFs, those in firmware or drivers often escape commercial endpoint protections, requiring highly targeted and timely patches from manufacturers.
Despite advances in chip-level security (e.g., Trusted Execution Environments, memory tagging extensions), patching firmware on end devices often lags far behind public disclosure—particularly in fragmented Android and IoT ecosystems.
The Patch Gap: Why Remediation Lags Persist
Even when a critical vulnerability becomes public and a patch is available, enterprises frequently struggle to deploy updates quickly enough to stay ahead of attackers. There are myriad reasons for this so-called “patch gap”:- Supply Chain Complexity: Android handset makers depend on Qualcomm patches, which must be integrated, tested, and distributed by device OEMs and carriers.
- Legacy Devices: Many consumers and organizations run old, unsupported hardware that may never receive official firmware updates.
- Operational Constraints: Mission-critical systems cannot afford downtime or risk of instability from rushed patching.
Case Example: Historic Qualcomm Exploit Waves
A look back at previous Qualcomm CVEs, such as CVE-2022-25636 (“Snapdragon Camera Driver privilege escalation”), offers a cautionary lesson. Despite patches being available within weeks, exploitation in the wild persisted for over a year due to device vendor lag. Android system update fragmentation meant millions of devices stayed at risk long after the initial advisory.Critical Analysis: Strengths and Limitations of the KEV-Driven Approach
Strengths
- Operational Focus: By maintaining a concise list of only actively exploited vulnerabilities, CISA ensures organizations aren’t paralyzed by endless patch advisories. KEV is practical, actionable, and urgent.
- Improved Threat Intelligence Sharing: Continuous updates and public transparency foster better communication between government, industry, and security vendors. The catalog is accessible to anyone and widely referenced in industry threat bulletins.
- Accountability and Auditability: For agencies under federal mandate, the deadline-driven structure of BOD 22-01 brings teeth to compliance efforts, enabling standardized reporting and enforcement.
- Influencing Industry Practices: The “trickle down” effect, where private companies mirror government prioritization, has raised the overall bar for vulnerability management.
Risks and Remaining Gaps
Despite its merits, the KEV Catalog—and the broader patching ecosystem—faces persistent challenges:- Firmware Update Lag: Firms like Qualcomm may release fixes rapidly, but downstream distribution (via OEMs, carriers, users) remains slow. Many devices remain vulnerable for months, even with KEV prioritization.
- Coverage and Scope: Not all actively exploited vulnerabilities make the KEV list equally quickly. Some advanced attacks, especially those targeting non-U.S. sectors, are slower to surface in public advisories.
- Resource Constraints: Smaller organizations may lack the staffing or expertise to evaluate and patch vulnerabilities at the pace KEV deadlines demand.
- Legacy and Unsupported Platforms: Devices past end-of-support require compensating controls—network segmentation, disablement, or mitigation—that are often impractical at scale.
The Qualcomm Challenge: An Industry Microcosm
The ongoing prevalence of vulnerabilities in Qualcomm chipsets illustrates both the progress and limits of current vulnerability management practice. Qualcomm has, over the past decade, strengthened its coordination with Google and major OEMs for rapid patch distribution. The Android Security Bulletin regularly publishes fixes aligned with KEV entries.Yet, even in 2025, device fragmentation (driven by multiple Android forks, regional ODMs, and carrier branding) ensures that not every end user receives critical firmware updates in a timely manner. Security-conscious consumers are advised to seek manufacturers with robust security pledges—such as those covering multi-year firmware updates—and to proactively monitor for patches.
Organizations, especially those in regulated sectors or with large mobile fleets, must consider supplemental mitigations: mobile device management (MDM) controls, application allowlisting, and network traffic monitoring for attempted exploitation of known chipset bugs. The risk calculus is particularly acute for government contractors, journalists, and executives whose devices are likely targets for advanced threats.
What Should Enterprises and Individuals Do?
For IT and Security Teams
- Vulnerability Management Integration: Embed KEV Catalog monitoring into security toolchains, SIEMs, and patch management workflows. Ongoing vigilance is required; CISA can update the catalog at any time based on emerging intelligence.
- Risk-Based Prioritization: Prioritize patching based on exposure to cataloged CVEs, especially those affecting internet-facing or high-privilege assets.
- Asset Visibility: Maintain detailed inventories of all systems—including mobile and embedded devices—that operate with Qualcomm chipsets.
- Compensating Controls: Where patching is delayed (due to vendor constraints or operational needs), mitigate risk with strict access controls, network segmentation, and device usage policies.
- Incident Response Preparedness: Assume breaches can and will occur; update detection rules, anomaly monitoring, and response playbooks to cover active exploitation of relevant KEV CVEs.
For Consumers
- Update Early and Often: Apply all available operating system and firmware updates for mobile devices as soon as they are available. Subscribe to device manufacturer security advisories if possible.
- Device Selection: Prefer devices from vendors with established reputations for security support and regular patching.
- Reduce Attack Surface: Limit installation of unnecessary applications, avoid sideloading apps from unofficial sources, and use robust authentication methods (e.g., biometrics, PINs).
- Practice Caution with Older Devices: If your device no longer receives official updates, consider phasing it out for critical communications or sensitive tasks.
The Road Ahead: Toward Faster and More Transparent Remediation
The inclusion of CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 in the CISA KEV Catalog is a timely reminder of the high stakes and persistent challenges that defining our digital lives. As the boundary between enterprise infrastructure and personal technology blurs—driven by mobility, IoT, and the hybrid workplace—vigilance in patching and vulnerability management has never been more vital.CISA’s catalog is an indispensable compass, but it is only as effective as the speed and coverage with which organizations can act upon its guidance. Device manufacturers, software vendors, and policymakers must continue to close the patch gap, investing in transparent security communication and robust support lifecycles.
Ultimately, the greatest strength of the KEV initiative lies not just in the technology or lists it curates, but in the culture of urgency and shared responsibility it fosters. As adversaries grow ever more sophisticated, it is collaboration across sectors—and an ironclad commitment to security hygiene—that will decide whether tomorrow’s headlines are stories of compromise or of resilience.
Source: CISA CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
