Preface: Qualcomm chipsets contain Powerline Communication (PLC) firmware features, particularly within their automotive and IoT-focused product lines designed for smart grid and electric vehicle (EV) charging.

Background: To implement write protection for SPI Flash, you generally need a combination of Hardware WP# pins and Software Status Register configurations.

The SPI Flash physical and software protection bits (BP bits / WP# pin) failed to provide a complete write-lock across the device lifecycle.

The threat model for CVE-2026-25293 usually assumes an attacker targets the PIB (Parameter Information Block):

•       Malicious PIB Modification: If WP is not active, an attacker can change MAC addresses or security keys in the PIB to conduct Man-in-the-Middle (MITM) attacks and steal charging credentials.

•       Persistent Backdoor: By overwriting sections of the NVM code (made possible because BP bits = 0), an attacker can implant a persistent backdoor that survives a reboot.

Vulnerability Details:

Title – Incorrect authorization in PLC FW

Description – Buffer overflow due to incorrect authorization in PLC FW

Technology Area – PLC FW

Vulnerability Type – CWE-863

Access Vector – Remote

Security Rating – Critical

Official announcement: Please refer to the link for details – https://docs.qualcomm.com/securitybulletin/may-2026-bulletin.html

Remedy: The primary remedy is to update the affected PLC firmware to the latest version supplied by the vendor that specifically addresses this CVE.