CVE-2025-21487 is a high-severity buffer over-read vulnerability (CWE-126) affecting a broad range of Qualcomm Snapdragon platforms and associated wireless connectivity modules. The vulnerability arises during the decoding of RTP (Real-time Transport Protocol) packets received by the User Equipment (UE) from the network. Specifically, when the RTP payload length specified in the packet header exceeds the actual available buffer length, the decoder reads beyond the allocated buffer boundary. This buffer over-read can lead to information disclosure, as data beyond the intended buffer may be accessed and potentially leaked. The vulnerability does not require any privileges or user interaction to exploit and can be triggered remotely by sending a crafted RTP packet to the affected device. The affected products include a wide array of Snapdragon mobile platforms, automotive platforms, wearable platforms, and wireless connectivity chips, covering many generations and variants, from older models like APQ8017 and SD 675 to the latest Snapdragon 8 Gen 3 Mobile Platform and FastConnect series. The CVSS v3.1 base score is 8.2, indicating a high severity due to network attack vector, low attack complexity, no privileges required, no user interaction, and a significant confidentiality impact with limited availability impact. No known exploits are currently reported in the wild, and no patches are linked yet, suggesting the vulnerability is newly disclosed or under active investigation. The root cause is a classic buffer boundary validation failure during RTP packet processing, which is critical given the widespread use of RTP in voice, video, and real-time communications over IP networks. This vulnerability could be leveraged by attackers to extract sensitive information from device memory, potentially including cryptographic keys, user data, or other sensitive runtime information, thereby compromising confidentiality without affecting integrity or causing denial of service directly. Given the extensive list of affected Qualcomm platforms, the vulnerability impacts a vast number of consumer and enterprise devices globally, including smartphones, IoT devices, automotive systems, and wearable technology that rely on Snapdragon chipsets for connectivity and media processing.

For European organizations, the impact of CVE-2025-21487 is significant due to the widespread deployment of Qualcomm Snapdragon-based devices in corporate and consumer environments. Many employees use smartphones and tablets powered by Snapdragon platforms, and enterprises increasingly deploy IoT and wearable devices with these chipsets. The vulnerability could allow remote attackers to leak sensitive information from devices connected to corporate networks, potentially exposing confidential communications, authentication tokens, or cryptographic material. This poses a risk to data confidentiality and privacy compliance under regulations such as GDPR. In sectors like finance, healthcare, and critical infrastructure, where secure real-time communications are essential, exploitation could undermine trust and operational security. Additionally, automotive platforms affected by this vulnerability could impact connected vehicle systems used in European automotive manufacturing and smart transportation initiatives, raising safety and privacy concerns. Although no integrity or availability impacts are directly associated, the confidentiality breach alone can facilitate further attacks such as session hijacking or espionage. The lack of required privileges and user interaction means attackers can exploit this vulnerability remotely and stealthily, increasing the threat level for organizations relying on Snapdragon-powered devices for secure communications.

Given the absence of available patches at the time of disclosure, European organizations should implement layered mitigations to reduce exposure. Network-level filtering should be employed to monitor and block suspicious RTP traffic, especially from untrusted or external sources. Deploying intrusion detection/prevention systems (IDS/IPS) with signatures or anomaly detection for malformed RTP packets can help detect exploitation attempts. Organizations should enforce strict network segmentation to isolate critical systems and limit RTP traffic to trusted endpoints. Device management policies should ensure that all Snapdragon-powered devices are updated promptly once vendor patches become available. Until patches are released, disabling or restricting RTP-based services where feasible can reduce attack surface. Vendors and device manufacturers should be engaged to prioritize firmware and software updates addressing this vulnerability. Additionally, organizations should conduct security awareness training to recognize potential indicators of compromise related to RTP traffic anomalies. For automotive and IoT deployments, applying secure update mechanisms and monitoring device telemetry for unusual behavior is critical. Finally, organizations should review and enhance their incident response plans to include scenarios involving information disclosure via network protocol exploitation.