UNISOC T612 Modem Flaw Lets Hackers Execute Code Over Cellular Calls

In a startling revelation that could affect millions of smartphones worldwide, security researchers have identified a critical flaw in the firmware of UNISOC’s T612 modem. The vulnerability allows attackers to run arbitrary code on a device simply by sending a specially crafted cellular call. Because UNISOC supplies chipsets to some of the biggest names in mobile hardware—Motorola, Samsung, Vivo, and Realme—this flaw could compromise a vast swath of consumer devices without any user interaction.

What Is the UNISOC T612 Modem Flaw?

The T612 is a popular modem used in mid‑range and budget smartphones. It handles voice, data, and SMS traffic, acting as the bridge between a phone and the cellular network. The discovered vulnerability lies in the way the modem parses incoming call setup messages. When a call is initiated, the modem receives a packet that contains a call identifier, caller number, and other metadata. In the vulnerable firmware, the parser fails to validate the length of the call identifier field. An attacker can exploit this by sending a call with an oversized identifier, which causes the modem to write data beyond the bounds of the allocated buffer.

Buffer overflows of this nature are classic vectors for remote code execution (RCE). Once the overflow occurs, an attacker can inject shellcode that the modem will execute with the privileges of the baseband processor. Because the baseband runs in a privileged, isolated environment, the attacker can gain control over the entire device, bypassing the operating system’s security mechanisms.

How Attackers Can Exploit the Vulnerability

Unlike many modern exploits that require physical proximity or user interaction, this flaw can be triggered over the air. An attacker only needs to send a malicious call to the target device. The call does not need to be answered; the mere receipt of the malformed packet is sufficient to trigger the overflow.

Once the attacker has control, they can:

• Install malware or a backdoor for persistent access.
• Steal personal data such as contacts, messages, and media.
• Use the device as a command‑and‑control node in a larger botnet.
• Launch further attacks against other devices on the same network.

Because the attack vector is so simple, there is no need for the victim to click a link or download a file. The exploit can be carried out from a distance, making it a potent tool for mass surveillance or large‑scale phishing campaigns.

Who Is Affected and What Can Be Done?

UNISOC’s T612 modem is integrated into a wide range of smartphones. While a full list of affected models is not yet available, the following manufacturers are known to use the chipset in their devices:

• Motorola – several mid‑range models released in 2022 and 2023.
• Samsung – certain Galaxy A series phones.
• Vivo – a selection of budget and mid‑range devices.
• Realme – multiple models across the Realme 8 and 9 series.

Manufacturers are currently working on firmware patches. However, updating baseband firmware is a complex process that often requires carrier cooperation and can take weeks or months to roll out. In the meantime, users can take the following precautions:

• Keep the device’s operating system and all apps up to date.
• Use a reputable mobile security app that monitors for unusual network activity.
• Avoid connecting to unknown or unsecured cellular networks.
• Contact your carrier or device manufacturer for the latest patch status.

For critical users—such as government agencies or large enterprises—consider disabling voice calls on affected devices or switching to a different network provider that offers a more secure baseband implementation.