Qualcomm, a leading provider of smartphone chipsets, issued patches on Monday addressing critical security vulnerabilities present in many of its widely used chips. Among these vulnerabilities, the company has confirmed three previously unknown zero-day exploits that hackers are actively targeting in limited, targeted attacks.
These security flaws, identified as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, were reported to Qualcomm by Google’s Android security researchers earlier this year. Google’s Threat Analysis Group (TAG), a specialized team tasked with identifying government-backed cyber operations, was credited with discovering these zero-days.
Zero-day vulnerabilities pose a significant threat because they are not previously known to software or hardware vendors, offering cybercriminals and espionage groups powerful tools for infiltrating devices. Qualcomm explained in its security bulletin that device manufacturers received the necessary patches in May, along with a strong recommendation that updates be deployed promptly to affected devices.
Due to Android’s decentralized distribution and patching system, however, the speed at which these patches reach end-users depends heavily on each mobile device manufacturer. As a result, despite the availability of these critical updates, many users’ devices could remain exposed for weeks or even months.
Google also confirmed that their own brand Pixel devices remain unaffected by these Qualcomm chipset vulnerabilities. Neither Qualcomm nor Google provided additional information regarding the exact nature or context of the exploits or the targets involved in the campaigns.
Chipsets inside smartphones are attractive targets for attackers because they typically grant extensive access to a device’s underlying systems, including potentially sensitive personal data. Hacking these components can provide attackers with a strategic foothold, allowing them to escalate privileges and compromise other areas of the device.
Recent history underscores the threat Qualcomm chipset vulnerabilities can pose. Last year, Amnesty International publicly identified a separate Qualcomm zero-day exploit used by Serbian authorities, facilitated by software provided by device unlocking firm Cellebrite.
