A newly disclosed UNISOC modem vulnerability allows attackers to execute remote code on Android devices using nothing more than a malicious cellular video call. This critical flaw resides in the baseband firmware, meaning it operates below the Android operating system and bypasses traditional mobile security protections. 
Because the affected UNISOC chipsets power millions of budget and mid-range Android devices, the vulnerability dramatically expands the attack surface—especially across emerging markets. Security researchers demonstrated that one phone can remotely compromise another over the mobile network layer, raising serious concerns for telecom providers, enterprises, and high-risk users.
In this article, you’ll learn:
- What the UNISOC modem RCE vulnerability is
- How the exploitation works
- Affected chipsets and devices
- Real-world proof-of-concept attack setup
- Security risks and impact
- Detection and mitigation strategies
What Is the UNISOC Modem RCE Vulnerability?
The vulnerability is a memory corruption flaw in the UNISOC baseband modem firmware. It enables remote code execution (RCE) through malformed SIP/SDP data during a cellular video call.
Key Technical Details
- Vulnerability Type: Memory corruption
- CWE Classification: CWE-674 (Uncontrolled Recursion)
- Attack Vector: Cellular video call (IMS/VoLTE)
- Impact: Remote code execution
- Privilege Level: Baseband firmware
- User Interaction: Minimal (answering call)
Key Insight:
This attack bypasses Android OS protections because it targets the baseband processor directly.
About UNISOC and Ecosystem Impact
UNISOC is a major global chipset vendor supplying mobile processors to numerous smartphone manufacturers.
Affected Ecosystem
- Budget Android phones
- Mid-range devices
- IoT devices
- Emerging market deployments
Vendors Using UNISOC Chipsets
- Samsung
- Motorola
- realme
- vivo
- Honor
Security Impact:
Millions of devices may be exposed due to shared baseband firmware.
Technical Root Cause
The flaw exists in the SIP/SDP parsing logic inside the modem firmware.
Vulnerable Component
- Function: _SDPDEC_AcapDecoder
- Issue: Uncontrolled recursion
- Trigger: Multiple acap attributes in SDP
- Result: Stack overflow
The parser recursively processes SDP attributes without enforcing depth limits, leading to uncontrolled stack growth.
Exploitation Method Explained
Attackers craft malicious SIP INVITE messages containing malformed SDP data.
Attack Workflow
- Attacker initiates cellular video call
- Malformed SDP embedded in SIP INVITE
- Victim device parses SDP
- Recursive function triggered repeatedly
- Stack overflow occurs
- Function pointers overwritten
- Execution redirected to shellcode
- Remote code execution achieved
Key Advantage for Attackers:
The exploit runs entirely over the cellular network.
Proof-of-Concept Attack Environment
Researchers demonstrated the attack using a controlled telecom lab.
Setup Components
- Open5GS core network
- Kamailio SIP server
- LimeSDR 4G base station
- Osmocom USIM cards
- pwntools attacker container
This setup allowed attackers to send crafted SIP INVITE messages to the target device.
Affected Devices and Chipsets
Testing confirmed the vulnerability in several UNISOC SoCs.
Confirmed Vulnerable Chipsets
- T612
- T616
- T606
- T7250
Example Affected Device
- realme C33 (UNISOC T612)
Important:
Even devices with latest Android patches remain vulnerable.
Why Baseband Vulnerabilities Are Critical
Baseband exploits operate below the Android OS.
Potential Impacts
- Silent call interception
- Location tracking
- Persistent compromise
- Surveillance capabilities
- Bypass of mobile security tools
- Hard-to-detect malware
Security Reality:
Baseband-level attacks are extremely stealthy.
Attack Impact Analysis
| Risk Area | Impact |
|---|---|
| Confidentiality | Call interception |
| Privacy | Location tracking |
| Integrity | Device manipulation |
| Persistence | Survives OS resets |
| Detection | Difficult for EDR |
| Telecom | Network-layer abuse |
Why Android Updates Don’t Help
The vulnerability resides in modem firmware, not Android OS.
Implication
- Android security patches ineffective
- Requires baseband firmware update
- Vendor patch needed
- Carrier firmware distribution required
Indicators of Exploitation
Detection is difficult, but some symptoms may appear.
Possible Signs
- Unexpected modem crash
- Dropped video calls
- Unusual network behavior
- Baseband reset events
- Abnormal radio logs
Detection Challenges
Traditional security tools cannot easily detect baseband attacks.
Limitations
- No file system artifacts
- No Android process involvement
- Hidden modem execution
- Limited logging visibility
Security Insight:
This vulnerability bypasses endpoint detection solutions.
Mitigation Recommendations
For Individuals
- Avoid answering unknown video calls
- Disable VoLTE video calling if possible
- Keep device firmware updated
- Monitor manufacturer advisories
For Enterprises
- Track vulnerable device inventory
- Restrict high-risk device usage
- Implement mobile risk management
- Monitor telecom anomalies
- Deploy mobile threat defense tools
Telecom and Operator Recommendations
- Push baseband firmware updates
- Monitor abnormal SIP traffic
- Deploy IMS signaling inspection
- Implement network-level filtering
Framework Mapping
MITRE ATT&CK Mobile
- T1471 – Exploit via cellular network
- T1406 – Exploit OS vulnerability
- T1636 – Network-based exploitation
NIST Cybersecurity Framework
- Identify: Mobile chipset risk
- Protect: Firmware management
- Detect: Network anomaly monitoring
- Respond: Device isolation
- Recover: Firmware patch deployment
Risk Severity Assessment
| Metric | Rating |
|---|---|
| Attack Complexity | Low |
| User Interaction | Minimal |
| Exploitability | Remote |
| Privilege | Baseband |
| Detection | Very difficult |
| Severity | Critical |
FAQs
What is the UNISOC modem vulnerability?
A baseband memory corruption flaw enabling remote code execution via cellular video calls.
Which devices are affected?
Devices using UNISOC T612, T616, T606, and T7250 chipsets.
Does Android patching fix the issue?
No. The vulnerability exists in modem firmware.
Can attackers exploit this remotely?
Yes. A malicious cellular video call is sufficient.
Why is baseband RCE dangerous?
It operates below the OS, enabling stealth surveillance.
Is there a patch available?
No public patch has been released at the time of disclosure.
Conclusion
The UNISOC modem RCE vulnerability highlights the growing risks of baseband-level attacks. Because exploitation occurs via malicious cellular video calls, attackers can compromise devices remotely without installing apps or sending links.
Organizations and users should:
- Track affected devices
- Limit exposure to unknown calls
- Monitor firmware updates
- Implement mobile security controls
Until vendor patches are released, this vulnerability remains a high-risk mobile security threat requiring proactive awareness and mitigation. 
