A severe security vulnerability has been uncovered in UNISOC modem firmware, allowing attackers to execute arbitrary code remotely over cellular networks.
UNISOC is a major semiconductor manufacturer providing chipsets for prominent mobile brands such as Motorola, Samsung, Vivo, and Realme.
This unpatched flaw leaves millions of devices potentially vulnerable to remote compromise.
Vulnerability Overview
The flaw allows a malicious actor to compromise a target device simply by making a cellular call over the network.
By sending specially crafted Session Description Protocol (SDP) messages during standard Session Initiation Protocol (SIP) signaling, an attacker can intentionally trigger memory corruption within the modem of the victim’s phone.
This critical vulnerability is classified as an Uncontrolled Recursion issue, tracked under the Common Weakness Enumeration system as CWE-674.
The core problem resides in how the modem parses specific message attributes without properly validating the length or depth of the incoming network request.
The root cause of this vulnerability is located in the _SDPDEC_AcapDecoder function, which is responsible for handling the acap attribute within SDP messages.
When the modem processes these messages, it looks up the parsed attribute and invokes a corresponding handler.
However, this parsing logic is highly unsafe because the decoder function can call itself recursively without any built-in limits.
If an attacker sends an input containing a continuous string of multiple acap attributes on a single line, the modem will repeatedly process them until the SIP task’s stack overflows.
This overflow causes the memory to collide with another process stack, specifically the sblock_0_2 task.
To make this memory corruption exploitable, the attacker must ensure the targeted sblock_0_2 task is actively running.
This task activates during data fragmentation in the IP Multimedia Subsystem (IMS) context, which naturally occurs during high-bandwidth operations like a standard video call.
By using an additional crypto attribute, the attacker can introduce controlled malicious data onto the stack, overwrite critical function pointers, and achieve full remote code execution.
Independent security researcher 0x50594d, working in coordination with SSD Secure Disclosure, successfully demonstrated this attack in a controlled test environment.
Researchers from SSD utilized a Dockerized Open5GS deployment alongside Kamailio, a LimeSDR antenna for 4G cellular communication, and a target smartphone acting as the victim device.
The custom exploitation script first authenticates the attacker’s simulated device to the core network and sends modified invite messages containing the malicious payload.
Immediately after delivering the payload, the attacker initiates a video call to the victim device.
Once the call is connected and data fragments, the stack overflows, crashing the modem and executing the injected shellcode.
This remote attack vector impacts several UNISOC chipsets, specifically the T612, T616, T606, and T7250 models.
During testing, the exploit was successfully reproduced on a Realme C33 smartphone running the July 2025 Android security update and utilizing the MOCORTM_22A_W23.02.5_P12.14_Debug firmware.
The vulnerability was demonstrated with a fully functioning remote code execution exploit.
The researchers attempted to contact UNISOC through multiple channels, including email and professional networks, but received no response regarding a patch.
Because there is currently no firmware update available from the vendor, devices utilizing these affected modems remain heavily exposed to this unauthenticated remote code execution vulnerability.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
