A critical memory-corruption flaw in UNISOC’s T612 modem family allows remote code execution (RCE) on vulnerable Android devices using only a malicious cellular video call, enabling one phone to compromise another over the mobile network layer.

UNISOC, ecosystem impact

UNISOC is a top-three global fabless semiconductor vendor headquartered in Shanghai, supplying 2G–5G, IoT, and smart device chipsets to OEMs such as Honor, realme, vivo, Samsung, and Motorola, with deployments in over 140 countries.

The vulnerable baseband stack ships in popular budget and mid-range Android phones, including the realme C33, significantly amplifying the potential attack surface across emerging markets where UNISOC penetration is highest.

The flaw lies in the UNISOC modem firmware’s SIP/SDP parsing path, specifically an exploitable Uncontrolled Recursion condition (CWE‑674) in the _SDPDEC_AcapDecoder function that handles the nonstandard acap attribute.

After parsing one acap attribute, the function consults the SipHandler_AttrDecoder table and may re-invoke itself for the next attribute without enforcing any recursion or depth limit, allowing attacker-controlled SDP to drive unbounded stack consumption.

By placing many acap attributes on a single SDP line, an attacker can force the SIP task’s stack to collide with the sblock_0_2 task’s stack, causing a stack overflow within the baseband RTOS context.

Subsequent overwrite of function pointers sblock_0_2 enables redirection of execution to attacker-supplied ARM Thumb shellcode delivered via a separate crypto attribute, demonstrating native code execution in the modem.

Exploitation is performed entirely over the cellular IMS/VoLTE signaling plane using malformed SDP embedded in SIP INVITE messages.

In the researcher’s setup, a Dockerized Open5GS core with Kamailio is used alongside a LimeSDR-based 4G cell, and Osmocom sysmoISIM USIM cards, with the attacker UE implemented as a pwntools-based container that registers to IMS and sends crafted INVITEs.

The vulnerable target is a realme C33 handset (UNISOC T612) with July 1, 2025, Android security patches, showing that Android framework updates do not mitigate the baseband flaw.

A video call from the attacker device is sufficient: SRTP traffic triggers fragmentation, activates the sblock_0_2 task, and once the victim answers, the modem crashes and ultimately executes the injected shellcode, confirmed post-crash by modem memory dumps and register analysis showing 0xdeadbeef written to a controlled address.

Testing confirmed the issue in the firmware image MOCORTM_22A_W23.02.5_P12.14_Debug as deployed on the realme C33.

Analysis indicates that at least the following UNISOC SoCs share the vulnerable SDP parser implementation: T612, T616, T606, and T7250, implying risk across multiple handset lines built on this modem codebase.

The vulnerability was independently discovered by researcher 0x50594d in collaboration with SSD Secure Disclosure, which attempted to contact UNISOC via email and LinkedIn but received no response at the time of publication.

In the absence of patches or public advisories from the vendor, devices using the affected firmware remain exposed to remote, baseband-level compromise via nothing more than a malicious cellular video call from any reachable number.ssd-disclosure+1

Given that exploitation occurs in the modem, below the Android OS boundary, successful RCE could enable covert interception, location tracking, or persistent compromise that survives typical device forensics, making this flaw particularly critical for high-risk users and operators relying on UNISOC-based infrastructure.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google