A severe security vulnerability has come to light within the firmware of UNISOC modems, posing significant risks for millions of devices. This discovered flaw allows attackers to execute arbitrary code remotely using cellular networks, potentially leading to severe compromises in device functionality and user privacy.
UNISOC is a well-known semiconductor manufacturer that supplies chipsets for several prominent mobile brands, including Motorola, Samsung, Vivo, and Realme. This expansive market reach means that the vulnerability affects a wide array of smartphones and tablets, leaving countless users at risk of remote exploitation.
The unpatched flaw currently leaves millions of devices susceptible to attacks. Experts warn that the nature of the vulnerability could have serious implications for mobile security, as it allows malicious entities to gain control over a target device through seemingly benign actions, like making a simple phone call.
Vulnerability Overview
The vulnerability enables a malicious actor to compromise a device by merely initiating a cellular call over the targeted network. By sending carefully crafted Session Description Protocol (SDP) messages during standard Session Initiation Protocol (SIP) signaling, an attacker can intentionally trigger memory corruption within the modem of the victim’s phone.
This critical vulnerability has been classified as an Uncontrolled Recursion issue, logged under the Common Weakness Enumeration (CWE) system as CWE-674. The heart of the problem lies in how the modem handles specific message attributes without adequately validating the length or depth of incoming network requests.
The root cause of this vulnerability is found in the _SDPDEC_AcapDecoder function, responsible for processing the acap attribute within SDP messages. When the modem processes these messages, it attempts to look up the parsed attribute and call a corresponding handler. However, this parsing logic is inherently unsafe because the decoding function is capable of calling itself recursively without any constraints.
If an attacker sends a string containing multiple acap attributes in a single line, the modem processes these commands iteratively until the Session Initiation Protocol (SIP) task’s stack overflows. This overflow causes memory to collide with another process stack — specifically, the sblock_0_2 task. In order to exploit this memory corruption, the attacker must ensure that the targeted sblock_0_2 task is actively running. This task typically activates during data fragmentation in the IP Multimedia Subsystem (IMS) context, which naturally occurs during high-bandwidth operations, such as video calls.
Moreover, an attacker can leverage an additional crypto attribute to introduce controlled malicious data onto the stack, thereby overwriting crucial function pointers and executing arbitrary code remotely.
In a noteworthy development, independent security researcher 0x50594d, collaborating with SSD Secure Disclosure, successfully demonstrated this attack within a controlled testing environment. The researchers employed a Dockerized Open5GS deployment along with Kamailio, utilizing a LimeSDR antenna for 4G cellular communication and a target smartphone acting as the victim device.
The custom exploitation script first authenticates the simulated attacker’s device to the core network and dispatches modified invitation messages containing the malicious payload. Following this, the attacker initiates a video call to the victim’s device. Once the call is connected and data fragments begin to flow, the stack overflows, crashing the modem and executing the injected shellcode.
This remote attack vector significantly impacts several UNISOC chipsets, particularly the T612, T616, T606, and T7250 models. During testing, the exploit was successfully recreated on a Realme C33 smartphone utilizing the July 2025 Android security update and the MOCORTM_22A_W23.02.5_P12.14_Debug firmware. The vulnerability was demonstrated with a fully functional remote code execution exploit, which raises alarming concerns.
The researchers attempted to reach out to UNISOC through various channels, including emails and professional networks, seeking details regarding a potential patch. However, their efforts have gone unanswered, and as of now, there is no available firmware update from the vendor. Consequently, devices employing the affected modems remain largely defenseless against this unauthenticated remote code execution vulnerability.
This situation underscores the urgent need for manufacturers to prioritize security in their firmware updates. As vulnerabilities continue to emerge, it becomes increasingly vital for users and manufacturers alike to remain vigilant about device security and potential exploits. The implications of such vulnerabilities extend beyond individual users, potentially affecting the operational integrity of entire mobile networks. With no resolution in sight, millions remain vulnerable, highlighting a critical gap in mobile cybersecurity.