Vulnerability Monitor

The vendors, products, and vulnerabilities you care about

CVE-2017-18313

Under certain mode of operations, HLOS may be able get direct or indirect access through DXE channels to tamper with the authenticated WCNSS firmware stored in DDR because DXE-accessible memory is located within the authenticated image in Snapdragon Mobile and Snapdragon Wear in version MSM8909W, SD 210/SD 212/SD 205, SD 410/12, SD 615/16/SD 415, SD 617.

Security Impact Summary

This vulnerability carries a MEDIUM severity rating with a CVSS v3.1 score of 5.3, indicating it requires adjacent network access but requires specific conditions to be met without requiring user interaction and does not require pre-existing privileges . The vulnerability impacts integrity (unauthorized modifications), for affected systems. Impacting 20 products from qualcomm, from qualcomm, from qualcomm and 17 others, organizations running these solutions should prioritize assessment and patching.

Historical Context

First disclosed in 2018, this vulnerability was reported during a period defined by widespread IoT adoption challenges, mobile security concerns, and the emergence of advanced persistent threat (APT) techniques. Contemporary mitigation strategies focused on secure development practices and third-party component vetting.

Published

2018-10-23T13:29:02.837

Last Modified

2024-11-21T03:19:50.010

Status

Modified

Source

[email protected]

Severity

CVSSv3.0: 5.3 (MEDIUM)

CVSSv2 Vector

AV:A/AC:M/Au:N/C:N/I:C/A:N

Access Vector: ADJACENT_NETWORK
Access Complexity: MEDIUM
Authentication: NONE
Confidentiality Impact: NONE
Integrity Impact: COMPLETE
Availability Impact: NONE

Exploitability Score

5.5

Impact Score

6.9

Weaknesses

Type: Primary
NVD-CWE-noinfo

Affected Vendors & Products

Type	Vendor	Product	Version/Range	Vulnerable?
Operating System	qualcomm	msm8909w_firmware	-	Yes
Hardware	qualcomm	msm8909w	-	No
Operating System	qualcomm	sd_210_firmware	-	Yes
Hardware	qualcomm	sd_210	-	No
Operating System	qualcomm	sd_212_firmware	-	Yes
Hardware	qualcomm	sd_212	-	No
Operating System	qualcomm	sd_205_firmware	-	Yes
Hardware	qualcomm	sd_205	-	No
Operating System	qualcomm	sd_410_firmware	-	Yes
Hardware	qualcomm	sd_410	-	No
Operating System	qualcomm	sd_412_firmware	-	Yes
Hardware	qualcomm	sd_412	-	No
Operating System	qualcomm	sd_615_firmware	-	Yes
Hardware	qualcomm	sd_615	-	No
Operating System	qualcomm	sd_616_firmware	-	Yes
Hardware	qualcomm	sd_616	-	No
Operating System	qualcomm	sd_415_firmware	-	Yes
Hardware	qualcomm	sd_415	-	No
Operating System	qualcomm	sd_617_firmware	-	Yes
Hardware	qualcomm	sd_617	-	No

References

https://source.android.com/security/bulletin/2018-09-01#qualcomm-closed-source-components Third Party Advisory ([email protected])
https://www.qualcomm.com/company/product-security/bulletins Vendor Advisory ([email protected])
https://source.android.com/security/bulletin/2018-09-01#qualcomm-closed-source-components Third Party Advisory (af854a3a-2127-422b-91ae-364da2661108)
https://www.qualcomm.com/company/product-security/bulletins Vendor Advisory (af854a3a-2127-422b-91ae-364da2661108)

How SecUtils Interprets This CVE

SecUtils normalizes and enriches National Vulnerability Database (NVD) records by standardizing vendor and product identifiers, aggregating vulnerability metadata from both NVD and MITRE sources, and providing structured context for security teams. For qualcomm's affected products, we extract Common Platform Enumeration (CPE) data, Common Weakness Enumeration (CWE) classifications, CVSS severity metrics, and reference data to enable rapid vulnerability prioritization and asset correlation. This record contains no exploit code, proof-of-concept instructions, or attack methodologies—only defensive intelligence necessary for patch management, risk assessment, and security operations.