CVE-2020-25858
HIGHQualcomm Mobile Access Point - Denial of Service via Unvalidated strstr/strchr Return Value
Title source: llmDescription
The QCMAP_Web_CLIENT binary in the Qualcomm QCMAP software suite prior to versions released in October 2020 does not validate the return value of a strstr() or strchr() call in the Tokenizer() function. An attacker who invokes the web interface with a crafted URL can crash the process, causing denial of service. This version of QCMAP is used in many kinds of networking devices, primarily mobile hotspots and LTE routers.
References (1)
Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
http://vdoo.com/blog/qualcomm-qcmap-vulnerabilities
Scores
CVSS v3
7.5
EPSS
0.0272
EPSS Percentile
86.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Details
CWE
CWE-476
Status
published
Products (1)
qualcomm/qualcomm_mobile_access_point
Published
Oct 15, 2020
Tracked Since
Feb 18, 2026