Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
Critical

MitM in Qualcomm GPS/GNSS assistance data download

IdentifiersCVE-2025-21450CWE-287· Improper Authentication

CVE-2025-21450 is a critical vulnerability in Qualcomm GPS/GNSS components caused by the use of an insecure connection method when downloading GNSS assistance data. According to the provided content, Qualcomm GPS firmware retrieves data over unencrypted HTTP from GPS-related infrastructure, including gpsonextra.net and izatcloud.net, without sufficient cryptographic authentication of the downloaded content. This allows an attacker in a man-in-the-middle position to intercept and modify assistance data in transit. The issue affects closed-source Qualcomm components and reportedly impacts more than 100 chipsets, including Snapdragon 8 Gen 3, Snapdragon 7 series, and Snapdragon 6 series devices running firmware prior to Qualcomm's July 2025 security update.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow manipulation of GNSS assistance data such as almanac or ephemeris information, leading to GPS spoofing, incorrect device location reporting, and incorrect time reporting. The content also indicates that malformed or maliciously altered data may corrupt GNSS-related data structures, causing denial of service in the GPS subsystem. Because the flaw affects chipset-level GPS/GNSS functionality, impact may extend to any device features or applications that rely on trustworthy positioning or timing.

Mitigation

If you can’t patch tonight, do this now.

Until patched firmware is deployed, reduce exposure to man-in-the-middle conditions on networks used by affected devices, especially untrusted or attacker-controlled connectivity paths. Prefer trusted network environments and enterprise network protections that make interception harder. Where operationally feasible, limit reliance on affected GNSS-derived location/time data for security-sensitive decisions until patched builds are installed. Mitigation is inherently limited because the flaw is in a closed-source chipset component and ultimately requires vendor patching.

Remediation

Patch, then assume compromise.

Apply Qualcomm's July 2025 security update, or any later OEM/device-manufacturer firmware update that incorporates Qualcomm's fix for CVE-2025-21450. For Android devices, ensure the device has the relevant security patch level covering this issue as distributed by the OEM. Because the vulnerable component is closed-source and patch deployment depends on downstream vendors, remediation requires updated firmware from the device manufacturer or platform vendor.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
QualcommAr8035 Firmwareoperating_system
QualcommFastconnect 6200 Firmwareoperating_system
QualcommFastconnect 6700 Firmwareoperating_system
QualcommFastconnect 6900 Firmwareoperating_system
QualcommFastconnect 7800 Firmwareoperating_system
QualcommQca6174a Firmwareoperating_system
QualcommQca6391 Firmwareoperating_system
QualcommQca6574a Firmwareoperating_system
QualcommQca6574au Firmwareoperating_system
QualcommQca6584au Firmwareoperating_system
QualcommQca6595au Firmwareoperating_system
QualcommQca6678aq Firmwareoperating_system
QualcommQca6688aq Firmwareoperating_system
QualcommQca6696 Firmwareoperating_system
QualcommQca6698aq Firmwareoperating_system
QualcommQca6698au Firmwareoperating_system
QualcommQca6797aq Firmwareoperating_system
QualcommQca8081 Firmwareoperating_system
QualcommQca8337 Firmwareoperating_system
QualcommQcc710 Firmwareoperating_system
QualcommQcm4490 Firmwareoperating_system
QualcommQcm5430 Firmwareoperating_system
QualcommQcm6490 Firmwareoperating_system
QualcommQcm8550 Firmwareoperating_system
QualcommQcn6024 Firmwareoperating_system
QualcommQcn6224 Firmwareoperating_system
QualcommQcn6274 Firmwareoperating_system
QualcommQcn9011 Firmwareoperating_system
QualcommQcn9012 Firmwareoperating_system
QualcommQcn9024 Firmwareoperating_system
QualcommQcs4490 Firmwareoperating_system
QualcommQcs5430 Firmwareoperating_system
QualcommQcs6490 Firmwareoperating_system
QualcommQcs8550 Firmwareoperating_system
QualcommQep8111 Firmwareoperating_system
QualcommQfw7114 Firmwareoperating_system
QualcommQfw7124 Firmwareoperating_system
QualcommSd 8 Gen1 5g Firmwareoperating_system
QualcommSdx55 Firmwareoperating_system
QualcommSdx61 Firmwareoperating_system
QualcommSdx80m Firmwareoperating_system
QualcommSg8275p Firmwareoperating_system
QualcommSm4635 Firmwareoperating_system
QualcommSm6370 Firmwareoperating_system
QualcommSm6650 Firmwareoperating_system
QualcommSm6650p Firmwareoperating_system
QualcommSm7325p Firmwareoperating_system
QualcommSm7635 Firmwareoperating_system
QualcommSm7635p Firmwareoperating_system
QualcommSm7675 Firmwareoperating_system
QualcommSm7675p Firmwareoperating_system
QualcommSm8635 Firmwareoperating_system
QualcommSm8635p Firmwareoperating_system
QualcommSm8650q Firmwareoperating_system
QualcommSm8750 Firmwareoperating_system
QualcommSm8750p Firmwareoperating_system
QualcommSnapdragon 4 Gen 1 Mobile Firmwareoperating_system
QualcommSnapdragon 480 5g Mobile Firmwareoperating_system
QualcommSnapdragon 480+ 5g Mobile Firmwareoperating_system
QualcommSnapdragon 695 5g Mobile Firmwareoperating_system
QualcommSnapdragon 778g 5g Mobile Firmwareoperating_system
QualcommSnapdragon 778g+ 5g Mobile Firmwareoperating_system
QualcommSnapdragon 782g Mobile Firmwareoperating_system
QualcommSnapdragon 7c+ Gen 3 Firmwareoperating_system
QualcommSnapdragon 8 Gen 1 Mobile Firmwareoperating_system
QualcommSnapdragon 8 Gen 3 Mobile Firmwareoperating_system
QualcommSnapdragon 8+ Gen 1 Mobile Firmwareoperating_system
QualcommSnapdragon 888 5g Mobile Firmwareoperating_system
QualcommSnapdragon 888+ 5g Mobile Firmwareoperating_system
QualcommSnapdragon Auto 5g Modem-Rf Firmwareoperating_system
QualcommSnapdragon Auto 5g Modem-Rf Gen 2 Firmwareoperating_system
QualcommSnapdragon W5+ Gen 1 Wearable Firmwareoperating_system
QualcommSnapdragon X32 5g Modem-Rf Firmwareoperating_system
QualcommSnapdragon X35 5g Modem-Rf Firmwareoperating_system
QualcommSnapdragon X62 5g Modem-Rf Firmwareoperating_system
QualcommSnapdragon X65 5g Modem-Rf Firmwareoperating_system
QualcommSnapdragon X72 5g Modem-Rf Firmwareoperating_system
QualcommSnapdragon X75 5g Modem-Rf Firmwareoperating_system
QualcommSw5100 Firmwareoperating_system
QualcommSw5100p Firmwareoperating_system
QualcommVideo Collaboration Vc3 Firmwareoperating_system
QualcommVideo Collaboration Vc3 Platform Firmwareoperating_system
QualcommWcd9340 Firmwareoperating_system
QualcommWcd9360 Firmwareoperating_system
QualcommWcd9370 Firmwareoperating_system
QualcommWcd9375 Firmwareoperating_system
QualcommWcd9378 Firmwareoperating_system
QualcommWcd9380 Firmwareoperating_system
QualcommWcd9385 Firmwareoperating_system
QualcommWcd9390 Firmwareoperating_system
QualcommWcd9395 Firmwareoperating_system
QualcommWcn3950 Firmwareoperating_system
QualcommWcn3980 Firmwareoperating_system
QualcommWcn3988 Firmwareoperating_system
QualcommWcn6450 Firmwareoperating_system
QualcommWcn6650 Firmwareoperating_system
QualcommWcn6755 Firmwareoperating_system
QualcommWcn7860 Firmwareoperating_system
QualcommWcn7861 Firmwareoperating_system
QualcommWcn7880 Firmwareoperating_system
QualcommWcn7881 Firmwareoperating_system
QualcommWsa8810 Firmwareoperating_system
QualcommWsa8815 Firmwareoperating_system
QualcommWsa8830 Firmwareoperating_system
QualcommWsa8832 Firmwareoperating_system
QualcommWsa8835 Firmwareoperating_system
QualcommWsa8840 Firmwareoperating_system
QualcommWsa8845 Firmwareoperating_system
QualcommWsa8845h Firmwareoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-21450
NVD
nvd.nist.gov/vuln/detail/CVE-2025-21450
MITRE CWE · CWE-287
Improper Authentication
Vendor Advisory
docs.qualcomm.com/product/publicresources/securitybulletin/july-2025-bulletin.html