CVE-2025-47357 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting Qualcomm Snapdragon chipsets. The flaw arises because a user-level driver can perform QFPROM (Qualcomm Fuse Programmable Read-Only Memory) read or write operations on fuse regions without any authentication checks. Fuse regions in Snapdragon devices store critical security and configuration data, including device identity, cryptographic keys, and hardware configuration parameters. Unauthorized access to these fuses can lead to information disclosure of sensitive data and unauthorized modification, potentially undermining device security features such as secure boot, hardware root of trust, and device integrity. The vulnerability affects numerous Snapdragon models across multiple series (QAM, QCA, SA, SRV), indicating a broad impact across many devices. According to the CVSS 3.1 vector, the attack requires local access (AV:L), low attack complexity (AC:L), no privileges (PR:N), and no user interaction (UI:N), with a scope unchanged (S:U). The impact on confidentiality is high (C:H), integrity is low (I:L), and availability is high (A:H), resulting in an overall CVSS score of 8. This means an attacker with local access can extract sensitive fuse data and potentially disrupt device availability by altering fuse states. No patches have been linked yet, and no known exploits are reported in the wild, but the vulnerability represents a significant risk due to the critical nature of the affected functions and the broad device coverage.

For European organizations, this vulnerability poses a substantial risk, especially those relying on Snapdragon-based devices in critical infrastructure, telecommunications, and mobile computing. The unauthorized reading of fuse data can lead to leakage of cryptographic keys and device identifiers, enabling cloning, impersonation, or bypassing of security mechanisms such as secure boot. Unauthorized writes to fuse regions can cause device malfunction or permanent damage, impacting availability and operational continuity. This could disrupt services in sectors like telecom providers, government agencies, and enterprises using Snapdragon-powered mobile devices or IoT equipment. The high confidentiality and availability impact combined with the ease of exploitation by local attackers means insider threats or malware with local access could exploit this vulnerability. The lack of authentication on critical functions undermines device trustworthiness and could facilitate advanced persistent threats targeting European networks. Additionally, the widespread use of Snapdragon chipsets in consumer and industrial devices increases the attack surface for supply chain and endpoint compromise.

1. Qualcomm should urgently develop and distribute patches that enforce strict authentication checks on QFPROM read/write operations to prevent unauthorized access. 2. European organizations should prioritize applying these patches as soon as they become available. 3. Implement strict access controls to limit local access to devices, including enforcing strong endpoint security policies and restricting physical and administrative access. 4. Monitor device logs and driver activity for unusual QFPROM access attempts or anomalies indicating exploitation attempts. 5. Use mobile device management (MDM) solutions to enforce security policies and detect compromised devices. 6. For critical infrastructure, consider hardware-based security modules or trusted platform modules (TPMs) to reduce reliance on vulnerable fuse regions. 7. Educate users and administrators about the risks of local exploitation and the importance of device security hygiene. 8. Collaborate with device vendors to ensure secure firmware updates and integrity verification mechanisms are in place.