Critical UNISOC T612 Modem Flaw Enables Remote Code Execution via Cellular Calls

A critical flaw has beenidentified in UNISOC modem firmware, enabling attackers to execute arbitrary code remotely via cellular networks.

As a leading semiconductor supplier, UNISOC supplies chipsets to major mobile brands including Motorola, Samsung, Vivo, and Realme.

This unpatched weakness exposes millions of devices to potential remote compromise.

Vulnerability Overview

A malicious actor can compromise a target device simply by initiating a cellular call.

By crafting specially formatted Session Description Protocol (SDP) messages within standard Session Initiation Protocol (SIP) signaling, an attacker triggers memory corruption in the victim’s modem.

This critical vulnerability constitutes an Uncontrolled Recursion issue, tracked under the Common Weakness Enumeration system as CWE-674.

The core issue lies in insecure parsing of message attributes during network requests.

The root cause is in the _SDPDEC_AcapDecoder function, responsible for handling the acap attribute within SDP messages.

Without proper validation of input length or depth, the decoder can recursively invoke itself indefinitely when processing multiple consecutive acap attributes on a single line.

This causes a stack overflow that collides with another process stack, specifically the sblock_0_2 task.

For exploitation, the attacker must ensure sblock_0_2 is active. This occurs during data fragmentation in the IP Multimedia Subsystem (IMS) context, naturally triggered during activities like video calls.

An attacker can introduce malicious data onto the stack via a crypto attribute, overwrite critical function pointers, and achieve remote code execution.

Researcher 0x50594d, working with SSD Secure Disclosure, demonstrated this attack in a controlled environment.

SSD researchers used a Dockerized Open5GS deployment with Kamailio, a LimeSDR antenna, and a target smartphone.

The script authenticates the attacker’s device to the core network and sends modified INVITE messages containing the payload. After delivering the attack, the attacker initiates a video call to the victim device.

Upon connection and data fragmentation, the stack overflow occurs, crashing the modem and executing the injected shellcode.

The vulnerability impacts UNISOC chipsets: T612, T616, T606, and T7250.

The exploit was successfully reproduced on a Realme C33 running July 2025 Android security updates and MOCORTM_22A_W23.02.5_P12.14_Debug firmware.

SSD researchers attempted to contact UNISOC via email and professional networks but received no response regarding a patch.

With no firmware update available, devices using these affected modems remain highly vulnerable to this unauthenticated remote code execution flaw.

Related Articles

Back to top button