Introduction
A critical authorization bypass in Qualcomm's QCA7005 Powerline Communication firmware allows an unauthenticated attacker on an adjacent network to trigger a buffer overflow, potentially compromising not just the PLC chip but connected automotive and industrial systems beyond it. With a CVSS score of 9.6 and a scope change designation, this vulnerability is particularly relevant for organizations deploying Snapdragon Auto platform components in EV charging infrastructure and connected vehicle environments.
The QCA7005 is a Qualcomm chipset providing 10 MBps Powerline Communication capabilities, primarily used within the Snapdragon Auto platform for automotive connectivity and EV charging applications. Powerline Communication technology transmits data over existing electrical wiring, making it a key enabler for vehicle to grid communication in electric vehicle charging stations. The chipset's deployment in safety critical automotive contexts makes vulnerabilities in its firmware especially consequential.
Technical Information
The root cause of CVE-2026-25293 is an incorrect authorization check within the QCA7005 PLC firmware that, when bypassed, leads to a buffer overflow condition. The vulnerability is classified under CWE-863 (Incorrect Authorization), meaning the firmware fails to properly verify that a requesting entity has the necessary permissions before processing input that ultimately overflows a buffer.
The CVSS 3.1 vector string is AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The individual metrics break down as follows:
| Metric | Value | Implication |
|---|---|---|
| Attack Vector | Adjacent | Attacker must have access to the adjacent network (e.g., shared powerline segment) |
| Attack Complexity | Low | No specialized conditions or extenuating circumstances required |
| Privileges Required | None | No prior authentication needed |
| User Interaction | None | Exploit triggers without any action from a legitimate user |
| Scope | Changed | Compromise can impact resources beyond the vulnerable component |
| Confidentiality | High | Complete loss of confidentiality possible |
| Integrity | High | Complete loss of integrity possible |
| Availability | High | Complete loss of availability possible |
The Scope: Changed designation is the most consequential aspect of this rating. It means a successful exploit against the PLC firmware can affect resources beyond the vulnerable component itself. In the context of the Snapdragon Auto platform, this could mean lateral movement from the compromised PLC chip into connected vehicle systems, telematics units, or EV charging infrastructure controllers.
Attack Flow
Based on the available technical details, exploitation would proceed along these lines:
- The attacker gains access to the adjacent powerline network. In EV charging scenarios, this could mean connecting to the same electrical circuit as the target device, potentially through a public or shared charging station.
- The attacker sends crafted traffic to the QCA7005 chip over the powerline network.
- Due to the incorrect authorization defect, the firmware processes the malicious input without verifying that the sender has appropriate permissions.
- The improperly authorized input triggers a buffer overflow in the PLC firmware.
- With the buffer overflow achieved, the attacker gains control over the PLC firmware execution context.
- Because of the scope change, the attacker can then potentially pivot from the compromised PLC firmware to affect other systems connected through the Snapdragon Auto platform.
The combination of no authentication requirement, no user interaction, and low attack complexity makes this vulnerability particularly accessible to attackers who can achieve adjacent network positioning.
Affected Systems and Versions
The vulnerability affects the Qualcomm QCA7005 Powerline Communication chipset, which is part of the Snapdragon Auto platform. The QCA7005 operates at 10 MBps and is used in automotive connectivity and EV charging applications.
Qualcomm's May 2026 Security Bulletin identifies the affected component as PLC firmware (PLC FW). Specific firmware version numbers were not enumerated in the available documentation. Organizations should consult the bulletin directly and contact their device manufacturer for precise version information relevant to their deployments.
Vendor Security History
Qualcomm maintains a structured product security program with monthly security bulletins designed to help customers incorporate security updates into launched or upcoming devices. The May 2026 Security Bulletin follows their established coordinated disclosure model, categorizing vulnerabilities by technology area and severity while acknowledging external researchers. This systematic approach to vulnerability disclosure reflects the company's ongoing engagement with the security research community, including organizations like the Trend Micro Zero Day Initiative.
