MEDIUM 6.5

CVE-2025-59601: Information Disclosure in Qualcomm Wireless & Audio Components Factory Reset

CVE-2025-59601 describes an information disclosure vulnerability in multiple Qualcomm wireless and audio components. When a device is factory reset through its powerline interface, sensitive configuration data may be exposed to an attacker with adjacent network access. This allows unauthorized parties to read device settings that should have been wiped during the reset process. The vulnerability does not allow modification of settings or denial of service, but the exposure of configuration details could enable further attacks or reveal sensitive operational parameters.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-1230
Affected products
16 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Information Disclosure when resetting device to factory default settings through powerline interface allows unauthorized access to device configuration.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

This vulnerability (CWE-1230: Exposure of Sensitive Information Through Metadata) affects factory reset functionality in Qualcomm's FastConnect, QCA, Snapdragon AR1, WCD, and WSA components. The powerline interface—used for device management and configuration—fails to properly sanitize or remove sensitive data during a factory default reset. An attacker positioned on the adjacent network segment can intercept or access residual configuration information that persists after the reset completes. The CVSS 3.1 vector (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects that the attack requires adjacent network access but is otherwise straightforward to execute, with high confidentiality impact and no integrity or availability impact.

Business impact

Organizations deploying Qualcomm wireless chipsets—particularly in enterprise WiFi infrastructure, audio systems, and AR/VR platforms—face a risk of configuration data leakage during device lifecycle operations. If devices are repurposed or decommissioned, sensitive settings (authentication credentials, SSID histories, network topology details) may be recoverable by network-adjacent attackers. This could compromise subsequent deployments sharing the same network segment, breach privacy expectations around data sanitization, and create compliance friction in regulated environments where secure device wiping is mandated.

Affected systems

The vulnerability impacts Qualcomm FastConnect 7800, QCA7005, Snapdragon AR1 Gen 1, WCD9380, WCD9385, WSA8830, WSA8832, and WSA8835 components and their associated firmware. These are commonly integrated into enterprise WiFi access points, wireless speakers, AR/VR headsets, smartphones, and audio processing platforms. Organizations should inventory deployments of these specific chipsets to determine exposure scope. Verify exact platform configurations in vendor documentation, as these components appear in diverse device types across multiple vendors.

Exploitability

Exploitation requires an attacker to be on the same network segment (adjacent network access) and to trigger or observe a factory reset operation. No special privileges, user interaction, or complex technical steps are needed once the attacker is positioned. However, the attack window is bounded: it must occur during or immediately after a factory reset. This limits spontaneous exploitation but makes the risk material during planned device decommissioning, refresh cycles, or after-sales device preparation. The barrier to entry is low for network-adjacent attackers in shared infrastructure environments.

Remediation

Contact Qualcomm and your device vendors for firmware patches addressing this issue. Patches should ensure that all sensitive configuration data is cryptographically wiped or securely removed during factory reset operations. Until patches are available, implement compensating controls: restrict network access to management interfaces, use network segmentation to limit adjacency to devices undergoing reset, employ out-of-band management channels where possible, and document device reset procedures to ensure they are performed in controlled, physically secured environments. Verify patch applicability against your specific chipset and firmware versions before deployment.

Patch guidance

Qualified patches from Qualcomm and device OEMs must be verified against the specific product and firmware version in your environment. Check the vendor advisories for affected firmware versions and corresponding patch or update versions. Apply patches in a controlled manner, beginning with non-critical devices to validate compatibility and performance. For devices that cannot be patched immediately, enforce network segmentation and access controls around the powerline management interface. Maintain an inventory of firmware versions in production to track remediation progress.

Detection guidance

Monitor for factory reset events on managed devices, particularly in network segments where sensitive data may be at rest. Log access to powerline management interfaces and correlate reset operations with network traffic patterns that might indicate information exfiltration. Intrusion detection systems should be tuned to flag anomalous access to configuration interfaces during or shortly after reset sequences. Endpoint Detection and Response (EDR) tools on associated systems may flag unusual file or memory access patterns. In air-gapped or controlled environments, periodic verification that sensitive data is properly cleared post-reset can provide assurance that patches or mitigations are effective.

Why prioritize this

Although this vulnerability carries a MEDIUM CVSS score and is not yet on the CISA Known Exploited Vulnerabilities (KEV) list, it warrants timely attention because: (1) it affects core wireless and audio infrastructure widely deployed in enterprise environments, (2) the attack surface includes common lifecycle operations (device reset, decommissioning, refresh) that many organizations perform routinely, and (3) the exposure of configuration data—including potential credentials—can create cascading risks downstream. Organizations should prioritize inventory and patching of affected chipsets over the next 60–90 days, with heightened urgency for devices in high-value network segments or those handling sensitive workloads.

Risk score, explained

The CVSS 3.1 score of 6.5 (MEDIUM) reflects high confidentiality impact (an attacker gains unauthorized access to device configuration) balanced against the requirement for adjacent network access and the absence of integrity or availability impact. The score appropriately captures that this is a serious information disclosure risk but not a critical remote code execution or widespread denial-of-service vector. Organizational risk may be higher or lower depending on deployment context: organizations with poor network segmentation or those frequently decommissioning devices in shared spaces face elevated practical risk; those with strong access controls and air-gapped management networks face lower risk.

Frequently asked questions

Can an attacker exploit this from the Internet or must they be on-site?

The vulnerability requires adjacent network access—the attacker must be on the same network segment or able to route traffic to the device's powerline management interface. This typically means the attacker is on-site or has compromised an intermediate network node. Remote exploitation from the broader Internet is not possible, but this does not eliminate risk in shared or guest networks or in scenarios where rogue devices are planted on a corporate LAN.

Do we need to reset all devices immediately, or can we wait for patches?

No immediate reset is required. A reset will not eliminate the vulnerability; instead, implement network segmentation and restrict access to the powerline interface until patches are available. Avoid resetting devices in unsecured or shared network environments. Once vendor patches are released and validated in your environment, apply them as part of your standard firmware update cycle. Prioritize devices in sensitive network locations or those handling high-value data.

What should we do with devices we are decommissioning or repurposing right now?

Reset devices in a controlled, physically secured environment, or defer the reset until patches are available. If immediate decommissioning is required, ensure the device is physically isolated or moved to an air-gapped network before reset. After reset, verify that sensitive configuration has been removed using vendor-provided tools or forensic validation. Document the process to maintain a record of secure sanitization.

Does this affect our warranty or require device replacement?

No. This is a firmware issue addressable through patching; devices do not need to be replaced. Qualified firmware updates from vendors should resolve the vulnerability. Contact your vendor support team to confirm patch availability and compatibility with your specific hardware and firmware versions.

This analysis is based on publicly available vulnerability data as of the publication and modification dates provided. Patch availability, version numbers, and vendor advisory details should be verified directly with Qualcomm and device OEMs before implementing any remediation. SEC.co does not provide vendor support, warranty claims, or legal advice. Organizations are responsible for assessing their own risk posture, validating patches in test environments, and implementing appropriate controls based on their network architecture and threat model. This document does not constitute a security guarantee or endorsement of any specific vendor product. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).