Kaspersky researchers conducted a security assessment of a modern System-on-Chip (SoC), Unisoc UIS7862A, which features an integrated 2G/3G/4G modem. This SoC can be found in various mobile devices by multiple vendors or, more interestingly, in the head units of modern Chinese vehicles, which are becoming increasingly common on the roads.
The head unit is one of a car’s key components, and a breach of its information security poses a threat to road safety, as well as the confidentiality of user data. During research, Kaspersky identified several critical vulnerabilities at various levels of the Unisoc UIS7862A modem’s cellular protocol stack. This article discusses a stack-based buffer overflow vulnerability in the 3G RLC protocol implementation (CVE-2024-39432).
Read more…
Source: Kaspersky
Sign up for the Cyber Security Review Newsletter
The latest cyber security news and insights delivered right to your inbox
Related:
- Critical Vulnerabilities in Ivanti EPMM Exploited
February 17, 2026
Two critical zero-day vulnerabilities (CVE-2026-1281 and CVE-2026-1340) affecting Ivanti Endpoint Manager Mobile (EPMM) are being actively exploited in the wild, affecting enterprise mobile fleets and corporate networks. These vulnerabilities allow unauthenticated attackers to remotely execute arbitrary code on target servers, granting them full control over mobile device management (MDM) infrastructure without requiring user interaction or credentials. Read ...
- Google patches first Chrome zero-day of the year
February 16, 2026
Google has patched a high-severity vulnerability in the Chrome browser which was apparently being used as a zero-day in the wild. In a security advisory, Google said it addressed CVE-2026-2441, a “use after free in CSS in Google Chrome prior to 145.0.7632.75”. This bug, given a severity score of 8.3/10 (high), allows threat actors to execute ...
- CVE-2024-43468: Attackers exploiting critical Microsoft bug from 2024
February 13, 2026
According to the US Cybersecurity and Infrastructure Security Agency (CISA) a SQL injection flaw in Microsoft Configuration Manager patched in October 2024 is now being actively exploited, exposing unpatched businesses and government agencies to attack. CISA added CVE-2024-43468 to its Known Exploited Vulnerabilities catalog on Thursday, setting a March 5 deadline for federal agencies to deploy the ...
- Apple patches zero-day flaw that could let attackers take control of devices
February 12, 2026
Apple has released security updates for iPhones, iPads, Macs, Apple Watches, Apple TVs, and Safari, fixing, in particular, a zero-day flaw that is actively exploited in targeted attacks. Exploiting this zero-day flaw would allow cybercriminals to run any code they want on the affected device, potentially installing spyware or backdoors without the owner noticing. Installing these ...
- Patch Tuesday – February 2026
February 11, 2026
Microsoft is publishing 55 vulnerabilities this February 2026 Patch Tuesday. Microsoft is aware of exploitation in the wild for six of today’s vulnerabilities, and notes public disclosure for three of those. Earlier in the month, All three of the publicly disclosed zero-day vulnerabilities published today are security feature bypasses, and Microsoft acknowledges the same cast of ...
- SolarWinds Web Help Desk Exploitation – February 2026
February 10, 2026
Multiple intrusions have been publicly reported starting on February 6, 2026 stemming from Internet-connected servers utilizing SolarWinds Web Help Desk software. This exploitation activity reportedly first occurred in December 2025. Given the number of recent CVEs affecting this product, it’s not yet clear which of several CVEs is directly responsible for these campaigns. Below are ...