CVE-2025-31713

Vulnerability

Analysis

CVE-2025-31713 is a command injection vulnerability (CWE-77) found in the engineer mode service of Unisoc chipsets. The root cause is improper input validation, which allows an attacker to inject arbitrary commands into the service's execution flow. This vulnerability affects multiple Unisoc chipsets, including SL8521E, SL8541E, and UIS8141E, running software versions Mocor5, Android 8.1, and Android 9 [1].

Exploitation

The attack vector is local, meaning an attacker must have local access to the device. No authentication or additional execution privileges are required beyond the ability to interact with the engineer mode service. The vulnerability can be triggered by sending specially crafted input that is not properly sanitized, leading to command injection [1].

Impact

Successful exploitation allows an attacker to achieve local escalation of privilege, potentially gaining complete control over the affected device. The CVSS v3.1 score is 8.4 (High), with a vector string of AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating high impact on confidentiality, integrity, and availability [1].

Mitigation

As of the publication date (2025-08-18), Unisoc has released a security announcement detailing the vulnerability. Users and vendors are advised to apply any available patches or updates from Unisoc to mitigate the risk. No workarounds are mentioned in the available references [1].