CVE-2022-38694
Cisco BootRom Bootloader Unchecked Write Address Privilege Escalation Vulnerability
Description
In BootRom, there is a possible unchecked write address. This could lead to local escalation of privilege with no additional execution privileges needed.
INFO
Published Date :
Sept. 1, 2025, 8:15 a.m.
Last Modified :
June 17, 2026, 4:57 a.m.
Remotely Exploit :
No
Source :
[email protected]
Affected Products
The following products are affected by CVE-2022-38694
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | HIGH | 134c704f-9b21-4f2e-91b3-4a467353bcc0 |
Solution
- Update the BootRom firmware.
- Verify write address checks.
- Implement secure coding practices.
Public PoC/Exploit Available at Github
CVE-2022-38694 has a 35 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2022-38694.
| URL | Resource |
|---|---|
| https://www.nccgroup.com/research-blog/there-s-another-hole-in-your-soc-unisoc-rom-vulnerabilities/ |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2022-38694 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2022-38694
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
LineageOS + bootloader unlocking giude for the poco c71
Security Investigation Report: Motorola Moto G04s (Unisoc T606) | Date:2026 | Target Device:Motorola Moto G04s, Model XT2331-4 |Chipset: Unisoc T606, Octa-core |ODM: Longcheer | Region Focus: Latin America, Mexico |Investigator: Independent Security Research| México 2025-2026
chipset exfiltration inmobi longcheer motorola spreadtrum system digital-turbine
Lightweight, standalone Unisoc (Spreadtrum) protocol flashing interface engineered natively for Termux. Bypasses strict Android system node permissions without root or a PC using a user-space file descriptor bridge. Features high-speed connection loops and automated HDLC packaging.
android-customization bootrom-exploit firmware-utility spd-dump spreadtrum termux unisoc hardware-handshake hdlc-protocol no-root-flashing otg-flashing
Python
None
Batchfile Python PowerShell
Bootloader unlock & Magisk root for Cubot KingKong ES 3 (Unisoc T615 / UMS9230_6h10). Experimental lab report — EMMC, A/B slots, BROM/FDL method. Not a guaranteed beginner guide.
android android-root bootloader bootloader-unlock cubot es3 kingkong magisk ums9230 unisoc spd-dump t615
Magisk root guide for ZTE Blade X1001 (Android 15, Unisoc UMS9230) using CVE-2022-38694 exploit. Contributions and screenshots welcome.
Home directory config and project overview
Shell HTML Python
Arquivo de Operações
C++ C Makefile Shell Python Batchfile
Extract a concerning amount of user information from Unisoc ZTE devices using CVE-2022-38694.
Batchfile Python
Bootloader unlock (CVE-2022-38694) & root guide for Realme C53 / RMX3760 (Unisoc T612)
Batchfile Python Shell
rooting an ATOZEE P12 on Android 14 using CVE-2022-38694 — because fastboot oem unlock said no, so we found another way.
android-14 android-root bootloader-unlock magisk ums9230 unisoc cve-2022-38694
Batchfile
very indev
Python Shell
The ultimate browser-based unlocker for Unisoc devices. Bypass signature checks and unlock bootloaders via WebUSB/OTG. No PC needed. Universal support for T606, T612, and other ums9230 platforms. Simple, mobile-first, and open-source.
CSS HTML JavaScript
None
Shell Python C Assembly
10h attempt at bypassing SELinux, firmware and a super weird chipset to unbrick a 100$ android tablet
Shell C Makefile
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2022-38694 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2022-38694 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Jun. 17, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'Unisoc (Shanghai) Technologies Co., Ltd.', 'product': 'SC9863A//T310/T610/T618/', 'versions': [{'status': 'affected', 'version': '/'}], 'defaultStatus': 'unaffected'}] -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 17, 2026
Action Type Old Value New Value Added SSVC {'id': 'CVE-2022-38694', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2025-09-02T13:42:01.279170Z'} -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Sep. 02, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-250 -
New CVE Received by [email protected]
Sep. 01, 2025
Action Type Old Value New Value Added Description In BootRom, there is a possible unchecked write address. This could lead to local escalation of privilege with no additional execution privileges needed. Added Reference https://www.nccgroup.com/research-blog/there-s-another-hole-in-your-soc-unisoc-rom-vulnerabilities/