CVE-2024-20154 Overview
CVE-2024-20154 is a critical out-of-bounds write vulnerability affecting MediaTek modem firmware across a wide range of chipsets. The vulnerability exists within the modem component where a missing bounds check allows attackers to write data beyond allocated memory boundaries. This flaw enables remote code execution when a vulnerable device connects to a rogue base station controlled by an attacker, requiring no user interaction and no additional execution privileges.
Critical Impact
Remote code execution via rogue base station attack with no user interaction required, affecting over 50 MediaTek chipsets used in millions of mobile devices and tablets worldwide.
Affected Products
- MediaTek MT67xx Series (MT6767, MT6768, MT6769, MT6779, MT6781, MT6783, MT6785, MT6789)
- MediaTek MT68xx Series (MT6833P, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893)
- MediaTek MT87xx Series (MT8666, MT8673, MT8675, MT8765, MT8766, MT8768, MT8771, MT8781, MT8786, MT8788, MT8789, MT8791T, MT8795T, MT8797, MT8798)
- MediaTek Modem Firmware LR12A, LR13, NR16.R1.MP, NR16.R1.MP1MP2.MP, NR16.R2.MP
- MediaTek MT2735 Modem Chipset
Discovery Timeline
- January 6, 2025 - CVE-2024-20154 published to NVD
- January 12, 2026 - Last updated in NVD database
Technical Details for CVE-2024-20154
Vulnerability Analysis
This vulnerability is classified under CWE-787 (Out-of-bounds Write) and CWE-121 (Stack-based Buffer Overflow). The flaw resides in MediaTek's modem firmware, specifically in the code path that processes data received from cellular base stations. When the modem communicates with a base station, it processes various signaling messages and data payloads. The vulnerable code path fails to properly validate the size of incoming data before writing it to a fixed-size buffer.
The attack requires the victim device to connect to a malicious base station, which can be accomplished through various means including deploying a stronger signal that causes the device to roam to the rogue cell, or by positioning the rogue station in an area with weak legitimate cellular coverage. Once connected, the attacker-controlled base station can send specially crafted messages that trigger the out-of-bounds write condition.
Root Cause
The root cause is a missing bounds check in the modem firmware's message processing routine. When the modem receives data from a base station, it copies this data into a stack-allocated buffer without first verifying that the incoming data size does not exceed the buffer capacity. This allows an attacker to overflow the buffer and overwrite adjacent memory, including return addresses and other critical control flow data on the stack.
The vulnerability is tracked internally by MediaTek as Patch ID MOLY00720348 and Issue ID MSV-2392.
Attack Vector
The attack vector is network-based and exploits the cellular communication protocol. An attacker must deploy a rogue base station (also known as a fake cell tower or IMSI catcher) within radio range of the target device. The attack proceeds as follows:
- The attacker sets up a malicious base station broadcasting on frequencies the target device supports
- The rogue station advertises itself with parameters that encourage the victim device to connect (stronger signal, specific network identifiers)
- Once the victim device connects, the attacker sends malformed protocol messages containing oversized payloads
- The modem firmware processes these messages without proper bounds checking, causing a stack buffer overflow
- The attacker leverages the overflow to achieve arbitrary code execution within the modem's execution context
The attack requires no user interaction - simply having the device powered on with cellular connectivity enabled is sufficient. The modem operates with high privileges and executes code independently of the main application processor, making this a particularly severe vulnerability.
Detection Methods for CVE-2024-20154
Indicators of Compromise
- Unexpected device behavior when in areas with unusual cellular signal patterns or near locations where rogue base stations might be deployed
- Unexplained modem crashes or restarts that may indicate exploitation attempts
- Network diagnostic logs showing connections to unfamiliar or suspicious cell tower identifiers
- Anomalous cellular network behavior including frequent network re-selections or unusual handovers
Detection Strategies
- Deploy cellular network monitoring solutions capable of detecting rogue base stations in enterprise environments
- Implement mobile device management (MDM) solutions that can monitor for abnormal modem behavior and unexpected restarts
- Utilize network security tools that can identify suspicious cellular infrastructure in proximity to protected facilities
- Enable comprehensive logging on mobile devices where supported to capture modem diagnostic information
Monitoring Recommendations
- Monitor enterprise mobile device fleets for unusual patterns of modem restarts or cellular connectivity issues
- Implement geofencing and alerting for devices entering areas with known risks of rogue base station deployment
- Coordinate with mobile carriers to report suspicious cellular infrastructure
- Establish baseline cellular behavior patterns for managed devices to facilitate anomaly detection
How to Mitigate CVE-2024-20154
Immediate Actions Required
- Apply the January 2025 MediaTek security update immediately through device manufacturer OTA updates
- Contact device manufacturers (OEMs) to determine when patches will be available for specific device models
- Consider temporarily disabling cellular connectivity on critical devices until patches are applied in high-risk environments
- Implement network-level protections where possible to detect and alert on rogue base station presence
Patch Information
MediaTek has released patches addressing this vulnerability in the January 2025 Security Bulletin. The fix is identified by Patch ID MOLY00720348. As MediaTek supplies chipsets to numerous device manufacturers, the actual patch deployment depends on individual OEMs integrating and releasing firmware updates for their specific products.
Organizations should check with their device manufacturers for update availability. Android devices using affected MediaTek chipsets may receive patches through the Android Security Bulletin process, though timing varies by manufacturer.
Workarounds
- Enable airplane mode when in high-risk areas where rogue base stations may be deployed if cellular connectivity is not required
- Use Wi-Fi calling instead of cellular when available in environments where rogue base station attacks are a concern
- Implement physical security measures in sensitive facilities to detect unauthorized radio equipment
- Consider deploying devices with non-affected chipsets for users operating in high-threat environments
# Example: Check device chipset information on Android
adb shell getprop ro.hardware
adb shell cat /proc/cpuinfo | grep Hardware
# Verify current security patch level
adb shell getprop ro.build.version.security_patch
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
