The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-20634

CVE-2025-20634: Mediatek Nr16 RCE Vulnerability

CVE-2025-20634 is a remote code execution flaw in Mediatek Nr16 modem caused by an out of bounds write. Attackers using rogue base stations can exploit this without user interaction. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published: March 18, 2026

CVE-2025-20634 Overview

CVE-2025-20634 is a critical out-of-bounds write vulnerability (CWE-787) affecting MediaTek modem firmware across a wide range of chipsets. The vulnerability exists within the modem component and stems from a missing bounds check, which could allow remote code execution when a user equipment (UE) device connects to a rogue base station controlled by an attacker. No user interaction is required for exploitation, making this a particularly dangerous vulnerability for mobile devices and IoT hardware utilizing affected MediaTek chipsets.

Critical Impact

Remote code execution is possible without user interaction when a device connects to a malicious base station, potentially compromising mobile devices and IoT systems at the firmware level.

Affected Products

  • MediaTek NR16, NR17, NR17R (5G NR Modem Software)
  • MediaTek MT6800 series (MT6813, MT6835, MT6835T, MT6878, MT6878M, MT6879, MT6886)
  • MediaTek MT6895 series (MT6895, MT6895TT, MT6896, MT6897, MT6899)
  • MediaTek MT6980 series (MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T)
  • MediaTek MT6989 series (MT6989, MT6989T, MT6990, MT6991)
  • MediaTek MT8000 series (MT8673, MT8676, MT8678, MT8795T, MT8798, MT8863)
  • MediaTek MT2737

Discovery Timeline

  • February 2025 - MediaTek releases security patch (Patch ID: MOLY01289384)
  • 2025-02-03 - CVE-2025-20634 published to NVD
  • 2026-02-17 - Last updated in NVD database

Technical Details for CVE-2025-20634

Vulnerability Analysis

This vulnerability is an out-of-bounds write condition in MediaTek's modem firmware. The flaw occurs when the modem processes certain data without proper bounds checking, allowing an attacker to write data beyond the intended buffer boundaries. Since the modem operates at a low level within the device architecture, successful exploitation could grant an attacker significant control over the affected device's communications and potentially the entire system.

The attack requires the victim's device to connect to a rogue base station (fake cell tower) controlled by the attacker. Once connected, the attacker can send specially crafted data that triggers the out-of-bounds write condition, leading to arbitrary code execution within the modem's execution context. Notably, no additional execution privileges are required beyond establishing the malicious connection, and no user interaction is needed to trigger the vulnerability.

Root Cause

The root cause is a missing bounds check in the modem firmware's data processing routines. When handling certain types of network communications data, the firmware fails to validate that the data length falls within expected boundaries before writing to memory buffers. This oversight allows maliciously crafted data to overflow the intended buffer and overwrite adjacent memory regions, potentially corrupting critical data structures or injecting executable code.

Attack Vector

The attack vector is network-based, requiring the attacker to operate a rogue base station (also known as an IMSI catcher or fake cell tower). When a vulnerable device enters the range of this malicious base station and connects to it, the attacker can exploit the vulnerability by sending specially crafted network protocol messages that trigger the out-of-bounds write.

The exploitation process involves setting up a rogue base station that mimics legitimate cellular infrastructure. When a vulnerable device connects (which can occur automatically without user awareness), the attacker transmits malformed modem protocol data. The missing bounds check in the modem firmware allows this data to overwrite memory beyond the intended buffer, ultimately achieving remote code execution on the device's modem processor.

Detection Methods for CVE-2025-20634

Indicators of Compromise

  • Unexpected modem crashes or restarts that may indicate exploitation attempts against the firmware
  • Connections to unknown or suspicious base stations that could represent rogue cell tower attacks
  • Anomalous cellular network behavior or unexpected data transmissions from affected devices
  • System instability or unexpected behavior following cellular network connectivity events

Detection Strategies

  • Monitor for devices connecting to unregistered or suspicious base stations through cellular network monitoring solutions
  • Implement firmware integrity checking mechanisms to detect modifications to modem components
  • Deploy endpoint detection and response (EDR) solutions capable of monitoring low-level system behavior on mobile and IoT devices
  • Utilize network anomaly detection to identify unusual cellular protocol traffic patterns

Monitoring Recommendations

  • Maintain an inventory of all devices using affected MediaTek chipsets within your organization
  • Implement centralized logging for mobile device management (MDM) solutions to track device connectivity events
  • Monitor MediaTek security bulletins for additional updates and indicators related to this vulnerability
  • Consider cellular network security solutions that can detect rogue base station attacks

How to Mitigate CVE-2025-20634

Immediate Actions Required

  • Apply the firmware update containing Patch ID MOLY01289384 from MediaTek or your device manufacturer immediately
  • Contact device manufacturers (OEMs) for updated firmware releases that incorporate the MediaTek security patch
  • Identify and inventory all devices in your environment using affected MediaTek chipsets
  • Implement network segmentation to limit potential lateral movement from compromised mobile/IoT devices

Patch Information

MediaTek has released a security patch addressing this vulnerability, identified as Patch ID MOLY01289384 (Issue ID: MSV-2436). The patch details are available in the MediaTek Security Bulletin for February 2025. Organizations should work with their device manufacturers (OEMs) to obtain firmware updates that incorporate this patch, as MediaTek provides patches to OEMs who then distribute them through their own update mechanisms.

Workarounds

  • Avoid connecting devices to untrusted or unknown cellular networks when possible
  • Implement cellular network security measures to detect and block rogue base station attacks
  • Consider disabling automatic network selection features where operationally feasible
  • Deploy MDM policies to restrict connectivity to approved carrier networks only
  • For high-security environments, consider RF shielding or controlled cellular environments until patches can be applied
bash
# Verify MediaTek firmware version on Android devices (requires root or ADB access)
# Check for modem firmware version containing the MOLY01289384 patch
adb shell getprop gsm.version.baseband
adb shell cat /sys/devices/virtual/mtk-modem/modem_info/version

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeRCE
  • Vendor/TechMediatek
  • SeverityCRITICAL
  • CVSS Score9.8
  • EPSS Probability6.39%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-787
  • Vendor Resources
  • MediaTek Security Bulletin February 2025
  • Related CVEs
  • CVE-2024-20154: MediaTek LR12A Modem RCE Vulnerability
  • CVE-2026-20446: Mediatek Mt6813 Firmware DOS Vulnerability
  • CVE-2026-20434: Mediatek Lr12a Privilege Escalation Flaw
  • CVE-2026-20401: Mediatek Nr15 Modem DoS Vulnerability
Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English