Universal Boot Loader (U-Boot) (Update A)
Plan Patch8.4ICS-CERT ICSA-25-343-01Dec 9, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Universal Boot Loader (U-Boot) versions prior to 2017.11 contain a vulnerability (CWE-1274) that could allow arbitrary code execution. This affects multiple Qualcomm chipsets (IPQ8064, IPQ5322, IPQ6018, IPQ4019, IPQ5018, IPQ8074, IPQ9574) and Johnson Controls Airwall AW-75 devices that use vulnerable U-Boot versions. The vulnerability is reachable through physical attack vectors, specifically unauthorized USB device insertion during device boot.
What this means
What could happen
An attacker with physical access to a device's USB port could inject malicious code during boot, gaining arbitrary code execution on the device. For water or electric utility gateways, this could allow tampering with network traffic, spoofing commands to connected systems, or disabling gateway protection.
Who's at risk
This affects network security gateways and edge devices using affected Qualcomm chipsets or Johnson Controls Airwall AW-75 models. Any mid-size utility running Airwall gateways or industrial devices based on IPQ-series chipsets are at risk. The threat requires physical access, making it primarily a concern for sites with weak physical security controls or devices deployed in accessible locations.
How it could be exploited
An attacker must physically access the device and insert a malicious USB device during the boot sequence before the bootloader finishes loading. This could allow code execution within the bootloader itself, giving the attacker control over the device before the operating system loads. The attack requires no network access and no credentials.
Prerequisites
- Physical access to the device's USB A port
- Ability to power-cycle or restart the device
- Malicious USB device or payload ready to inject
no authentication requiredphysical access required (low-complexity attack once device is accessible)affects network security appliancesQualcomm chipsets have no patch available
Exploitability
Low exploit probability (EPSS 0.0%)
Affected products (9)
2 with fix7 EOL
ProductAffected VersionsFix Status
Qualcomm Chipset IPQ6018<2017.11No fix (EOL)
Qualcomm Chipset IPQ8074<2017.11No fix (EOL)
Qualcomm Chipset IPQ8064<2017.11No fix (EOL)
Qualcomm Chipset IPQ5322<2017.11No fix (EOL)
U-boot: <2017.11<2017.112025.4
Qualcomm Chipset IPQ4019<2017.11No fix (EOL)
Qualcomm Chipset IPQ5018<2017.11No fix (EOL)
Johnson Controls Airwall AW-75 vers:all/*<2017.112025.4
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDPhysically seal or disable USB A ports on devices using epoxy, cable locks, or port covers to prevent unauthorized USB insertion; do not seal the micro-USB console port as it is not affected
HARDENINGDeploy Airwall and other security appliances in physically secure locations (locked server rooms, cabinets) where unauthorized USB device insertion is not feasible
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXFor Johnson Controls Airwall AW-75 running U-Boot version 2017.03 or earlier, download and install hotfix hf-3303 from Johnson Controls support portal
HOTFIXUpgrade U-Boot to version 2025.4 or later (contact Konsulko or check ftp.denx.de/pub/u-boot/)
HOTFIXFor devices using Qualcomm IPQ chipsets (IPQ8064, IPQ5322, IPQ6018, IPQ4019, IPQ5018, IPQ8074, IPQ9574), contact Qualcomm support referencing CVE-2025-24857, QPSIIR-1969, or CR4082905 to determine if your device model has a vendor-specific patch
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: Qualcomm Chipset IPQ6018, Qualcomm Chipset IPQ8074, Qualcomm Chipset IPQ8064, Qualcomm Chipset IPQ5322, Qualcomm Chipset IPQ4019, Qualcomm Chipset IPQ5018, Qualcomm Chipset IPQ9574. Apply the following compensating controls:
HARDENINGRestrict physical access to devices by implementing badge access controls or security cameras in areas where gateways or critical network devices are located
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d3f656b1-c130-48a3-9117-5bebf9d3316a