U.S. CISA Adds Multiple Qualcomm Chipset Flaws to Its Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has taken action to protect the nation's networks by adding multiple Qualcomm chipset flaws to its Known Exploited Vulnerabilities (KEV) catalog. This move is part of CISA's efforts to mitigate the risk of known exploited vulnerabilities, which can be used to gain unauthorized access to sensitive information.

According to a report published by Google Android Security team, three zero-day vulnerabilities have been identified in Qualcomm chipsets that have been exploited in limited, targeted attacks. The vulnerabilities, CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038, affect the Adreno Graphics Processing Unit (GPU) driver. Qualcomm has addressed these issues by making patches available to OEMs in May, along with a strong recommendation to deploy the update on affected devices as soon as possible.

While CISA did not provide details about the attacks exploiting these vulnerabilities, it is clear that they pose a significant risk to the nation's networks. The agency has issued a Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, which requires federal agencies to address identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.

Experts are also urging private organizations to review the KEV catalog and address the vulnerabilities in their infrastructure. By doing so, they can prevent potential breaches and ensure the security of their systems.

The Vulnerabilities: A Closer Look

CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038 are three zero-day vulnerabilities that affect the Adreno Graphics Processing Unit (GPU) driver. While Qualcomm has made patches available to OEMs, it is essential for device owners to stay informed about these vulnerabilities and take steps to protect their devices.

The impact of these vulnerabilities cannot be overstated. If exploited, they could allow attackers to gain unauthorized access to sensitive information, potentially leading to serious consequences such as data breaches or system compromise.

A Call to Action

CISA has ordered federal agencies to fix the vulnerabilities by June 24, 2025. Private organizations are also urged to take immediate action to address these vulnerabilities in their infrastructure. By working together, we can reduce the significant risk of known exploited vulnerabilities and protect our networks against attacks.

Stay informed about the latest cybersecurity threats and vulnerabilities by following me on Twitter (@securityaffairs), Facebook, and Mastodon.

About the Author

This article was written by [Your Name], a journalist with a focus on cybersecurity and technology.