CVE-2025-47383 in Snapdragon Auto
Summary
by MITRE • 03/02/2026
Weak configuration may lead to cryptographic issue when a VoWiFi call is triggered from UE.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/02/2026
This vulnerability resides in the VoWiFi (Voice over WiFi) implementation within user equipment devices, specifically manifesting during call initiation scenarios. The weakness stems from improper cryptographic configuration that compromises the security of voice communications over wireless networks. When a user equipment device triggers a VoWiFi call, the system's cryptographic parameters fail to meet minimum security requirements, creating potential exposure points for unauthorized access or eavesdropping on voice transmissions.
The technical flaw involves insufficient cryptographic strength configuration within the VoWiFi protocol stack of mobile devices. This weakness allows for potential downgrade attacks where adversaries can manipulate the cryptographic negotiation process to force the use of weaker encryption algorithms or parameters. The vulnerability specifically affects the key exchange mechanisms and authentication protocols used during VoWiFi call establishment, making it possible for attackers to intercept or manipulate voice data streams. The configuration issues typically involve improper implementation of cryptographic libraries or failure to enforce minimum security standards for cipher suites and key lengths during the call setup process.
The operational impact of this vulnerability extends beyond simple privacy concerns to encompass potential security breaches that could compromise sensitive communications. Attackers exploiting this weakness could gain access to voice conversations, potentially leading to information disclosure, social engineering opportunities, or even more sophisticated attacks leveraging the intercepted communications. The vulnerability affects mobile devices that support VoWiFi functionality, particularly those with weak cryptographic configuration management during the call initiation phase. This creates a persistent risk for users in environments where VoWiFi is enabled, especially in enterprise or government settings where voice communication security is paramount.
Mitigation strategies should focus on implementing robust cryptographic configuration management within VoWiFi implementations. Device manufacturers must ensure proper enforcement of minimum cryptographic standards during VoWiFi call establishment, including mandatory use of strong cipher suites and appropriate key lengths. Network operators should implement monitoring capabilities to detect potential cryptographic downgrade attempts and enforce security policies that prevent the use of weak cryptographic parameters. The vulnerability aligns with CWE-327 which addresses use of weak cryptography and CWE-310 which covers cryptographic issues in authentication mechanisms. From an ATT&CK framework perspective, this weakness maps to techniques involving credential access and interception of communications, potentially enabling later-stage attacks through information gathering and reconnaissance activities. Regular security updates and proper cryptographic configuration management practices should be implemented to address this vulnerability effectively.