CVE-2025-47383 is a vulnerability identified in multiple Qualcomm Snapdragon platforms, characterized by a missing cryptographic step during the initiation of Voice over WiFi (VoWiFi) calls from user equipment (UE). This cryptographic omission results in weak configuration that undermines the security guarantees typically provided by cryptographic protocols, potentially allowing attackers to intercept, manipulate, or disrupt VoWiFi communications. The vulnerability is classified under CWE-325, which refers to missing required cryptographic steps that can lead to insecure implementations. The affected products encompass a vast array of Qualcomm chipsets and platforms, including but not limited to mobile platforms (e.g., Snapdragon 8 Gen series, Snapdragon 7 series), automotive platforms, wearable platforms, compute platforms, and various modem and connectivity subsystems. The CVSS v3.1 base score is 7.2, reflecting high severity due to the vulnerability's impact on confidentiality, integrity, and availability, combined with network attack vector, low attack complexity, and the requirement for high privileges but no user interaction. The flaw could be exploited remotely over the network, particularly during VoWiFi call setup, potentially allowing attackers with elevated privileges to compromise call security. Although no exploits have been reported in the wild, the extensive deployment of affected Qualcomm components in smartphones, IoT devices, automotive systems, and other connected devices makes this vulnerability a significant concern. The lack of a patch at the time of reporting necessitates immediate risk mitigation strategies. The vulnerability's broad impact is compounded by the critical role of VoWiFi in modern telecommunication, especially in environments where cellular coverage is limited. The technical root cause is a missing cryptographic step, which may involve omitted encryption, authentication, or integrity verification processes during call initiation, thereby exposing the communication channel to interception or tampering.

The impact of CVE-2025-47383 is substantial for organizations worldwide that rely on Qualcomm Snapdragon-based devices for secure communications. The vulnerability compromises the confidentiality, integrity, and availability of VoWiFi calls, potentially allowing attackers to eavesdrop on sensitive conversations, inject malicious data, or disrupt communication services. This can lead to data breaches, loss of intellectual property, exposure of personally identifiable information (PII), and operational disruptions. Enterprises using Snapdragon-powered mobile devices, automotive systems, or IoT devices for critical communications are at risk of targeted attacks exploiting this flaw. The automotive sector could face safety risks if vehicle communication systems are compromised. The widespread presence of affected platforms in consumer and enterprise devices increases the attack surface, making large-scale exploitation feasible once an exploit is developed. The requirement for elevated privileges to exploit the vulnerability somewhat limits the attack vector but does not eliminate risk, especially in environments where privilege escalation is possible. The absence of known exploits in the wild currently reduces immediate threat but does not preclude future exploitation. Overall, the vulnerability poses a high risk to confidentiality and integrity of communications and could impact availability if exploited to disrupt VoWiFi services.

1. Monitor Qualcomm and device manufacturers for official patches or firmware updates addressing CVE-2025-47383 and apply them promptly across all affected devices. 2. Implement network segmentation and strict access controls to limit exposure of devices using vulnerable Snapdragon platforms, especially restricting access to VoWiFi call initiation services to trusted networks and users. 3. Employ intrusion detection and prevention systems (IDS/IPS) with signatures or heuristics tuned to detect anomalous VoWiFi call initiation patterns or cryptographic anomalies. 4. Enforce strong privilege management policies to minimize the risk of privilege escalation that could enable exploitation of this vulnerability. 5. Use endpoint security solutions capable of monitoring and restricting unauthorized modifications to communication modules or cryptographic configurations. 6. For organizations deploying Snapdragon-based automotive or IoT devices, ensure secure boot and firmware integrity verification mechanisms are in place to prevent unauthorized firmware tampering. 7. Educate security teams about the specific risk associated with VoWiFi cryptographic weaknesses and incorporate this vulnerability into incident response plans. 8. Where feasible, consider alternative communication methods or additional encryption layers at the application level to mitigate risks until patches are available. 9. Collaborate with vendors to obtain detailed technical guidance and support for remediation efforts.