Qualcomm has officially released urgent security patches to address three zero-day vulnerabilities currently being exploited in targeted hacking campaigns. The flaws, identified within dozens of the company’s chipsets, were disclosed in the June 2025 security bulletin.
High-Stakes Exploitation Detected
The discovery of these vulnerabilities originated from Google’s Threat Analysis Group (TAG), a specialized team focused on tracking government-backed cyber operations. According to Qualcomm, these three zero-days—tracked as CVE-2025-21479, CVE-2025-21480, and CVE-2025-27038—are currently subject to “limited, targeted exploitation.”
Google’s Android security team first reported these vulnerabilities to the chipmaker in February. Because zero-day flaws remain unknown to the manufacturer until discovered, they are highly prized by state-sponsored actors and cybercriminals seeking to bypass standard security protocols.
The Android Update Bottleneck
While the patches are now available, the fragmented nature of the Android ecosystem creates a significant delay in protection. Qualcomm provided these updates to device manufacturers in May, but the responsibility to push these fixes to end-users lies with individual phone makers.
This distribution model means that millions of devices may remain exposed for several weeks until manufacturers integrate the patches into their own firmware updates. Qualcomm has issued a “strong recommendation” for all device makers to deploy these updates immediately.
Why Qualcomm Chips Are Prime Targets
Security experts note that mobile chipsets are frequent targets because they possess deep, low-level access to the operating system. By compromising the chip, hackers can escalate their privileges, effectively jumping from the hardware layer to sensitive data stored elsewhere on the device.
Evidence of these attacks is mounting. Recent history includes documented cases such as the Amnesty International report from last year, which uncovered a Qualcomm zero-day exploited by Serbian authorities, potentially utilizing tools from phone-unlocking firm Cellebrite.
Manufacturer Responses
Google has confirmed that its proprietary Pixel devices are not impacted by these specific vulnerabilities. Meanwhile, Qualcomm continues to emphasize the necessity of user vigilance. Company spokesperson Dave Schefcik stated, “We encourage end users to apply security updates as they become available from device makers.”
As of now, Google’s TAG has declined to provide further technical details regarding the specific circumstances or the threat actors involved in the discovery of these exploits.