A serious memory corruption bug in UNISOC's T612 modem family lets hackers run code remotely (RCE) on weak Android devices with just a malicious cellular video call. This means that one phone can hack another phone over the mobile network layer. UNISOC is one of the top three fabless semiconductor vendors in the world.

Its headquarters are in Shanghai, and it supplies 2G–5G, IoT, and smart device chipsets to OEMs like Honor, realme, vivo, Samsung, and Motorola. Its products are used in more than 140 countries. The realme C33 and other popular budget and mid-range Android phones come with the weak baseband stack, which makes it much easier for hackers to attack in emerging markets where UNISOC is most popular.

The problem is with the SIP/SDP parsing path in the UNISOC modem firmware. Specifically, there is an exploitable Uncontrolled Recursion condition (CWE-674) in the _SDPDEC_AcapDecoder function that deals with the nonstandard acap attribute. The function looks at the SipHandler_AttrDecoder table after parsing one acap attribute.

It might call itself again for the next attribute without any limits on recursion or depth, which lets an attacker-controlled SDP use up an unlimited amount of stack space. An attacker can make the SIP task's stack collide with the sblock_0_2 task's stack by putting a lot of acap attributes on one SDP line. This will cause a stack overflow in the baseband RTOS context. Subsequent overwriting of function pointers sblock_0_2 allows execution to be redirected to attacker-supplied ARM Thumb shellcode sent through a different crypto attribute, showing that the modem can execute native code.

Exploitation happens completely over the cellular IMS/VoLTE signaling plane when malformed SDP is put into SIP INVITE messages. The researcher used a Dockerized Open5GS core with Kamailio, a LimeSDR-based 4G cell, and Osmocom sysmoISIM USIM cards. The attacker UE was set up as a pwntools-based container that registers to IMS and sends crafted INVITEs.

The target that is vulnerable is a realme C33 phone (UNISOC T612) with Android security patches from July 1, 2025. This shows that updates to the Android framework do not fix the baseband flaw.

A video call from the attacker's device is all it takes: When SRTP traffic comes in, it causes fragmentation, starts the sblock_0_2 task, and when the victim answers, the modem crashes and runs the injected shellcode. This was confirmed after the crash by modem memory dumps and register analysis showing 0xdeadbeef written to a controlled address. The problem was confirmed in the firmware image MOCORTM_22A_W23.02.5_P12.14_Debug that was put on the realme C33.

The analysis shows that at least the following UNISOC SoCs have the weak SDP parser implementation: T612, T616, T606, and T7250. This means that multiple phone lines that use this modem codebase are at risk. Researcher 0x50594d, working with SSD Secure Disclosure, found the vulnerability on their own. They tried to reach UNISOC by email and LinkedIn, but they didn't get a response by the time this article was published.

Without patches or public warnings from the vendor, devices with the affected firmware are still vulnerable to remote, baseband-level compromise through a malicious cellular video call from any reachable number.ssd-disclosure+1 Since exploitation happens in the modem, which is below the Android OS boundary, successful RCE could allow covert interception, location tracking, or persistent compromise that survives normal device forensics. This flaw is especially dangerous for high-risk users and operators who depend on UNISOC-based infrastructure. Make ZeroOwl your favorite source in Google