CVE-2025-20751 Overview
CVE-2025-20751 is an out-of-bounds write vulnerability (CWE-787) affecting MediaTek modem components across numerous chipset platforms. The vulnerability exists due to a missing bounds check in the modem firmware, which could allow an attacker to cause a system crash. This remote denial of service attack can be triggered when a User Equipment (UE) device connects to a rogue base station controlled by an attacker, requiring no additional execution privileges and no user interaction.
Critical Impact
Remote denial of service via rogue base station attack affecting devices with MediaTek modem chipsets. Attackers can crash affected devices without user interaction when victims connect to malicious cellular base stations.
Affected Products
- MediaTek NR15 (5G modem platform)
- MediaTek MT2735 (standalone modem)
- MediaTek MT6833, MT6833P (Dimensity 700 series)
- MediaTek MT6853, MT6853T (Dimensity 720 series)
- MediaTek MT6855, MT6855T (Dimensity 930 series)
- MediaTek MT6873 (Dimensity 800 series)
- MediaTek MT6875, MT6875T (Dimensity 820 series)
- MediaTek MT6877, MT6877T, MT6877TT (Dimensity 900 series)
- MediaTek MT6880 (Dimensity 1000 series)
- MediaTek MT6883, MT6885, MT6889, MT6890, MT6891, MT6893 (Dimensity 1000+ series)
- MediaTek MT8675, MT8771, MT8791, MT8791T, MT8797 (tablet/IoT chipsets)
Discovery Timeline
- 2025-12-02 - CVE-2025-20751 published to NVD
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2025-20751
Vulnerability Analysis
This vulnerability is classified as CWE-787 (Out-of-Bounds Write) with a CVSS 3.1 score of 5.3 (Medium severity). The CVSS vector is CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating:
- Attack Vector (AV:N): Network-based attack
- Attack Complexity (AC:H): High complexity, requiring specific conditions (rogue base station setup)
- Privileges Required (PR:L): Low privileges needed
- User Interaction (UI:N): No user interaction required
- Scope (S:U): Impact is contained to the vulnerable component
- Confidentiality (C:N): No confidentiality impact
- Integrity (I:N): No integrity impact
- Availability (A:H): High availability impact (system crash)
The EPSS (Exploit Prediction Scoring System) probability is 0.214% with a percentile of 44.01%, suggesting moderate likelihood of exploitation in the wild.
Root Cause
The root cause is a missing bounds check within the MediaTek modem firmware. When processing certain protocol messages from a cellular base station, the modem fails to validate the size or boundaries of input data before writing to memory. This allows malformed data from a rogue base station to trigger an out-of-bounds write operation, corrupting memory and causing the modem—and consequently the entire device—to crash.
The vulnerability is tracked internally by MediaTek with Patch ID: MOLY01661195 and Issue ID: MSV-4297.
Attack Vector
The attack requires the adversary to operate a rogue cellular base station (fake cell tower). When a vulnerable device connects to this malicious base station—which can occur automatically as mobile devices search for cellular signals—the attacker can send specially crafted protocol messages that exploit the missing bounds check.
The attack scenario involves:
- Attacker deploys a rogue base station in proximity to target devices
- Target devices with vulnerable MediaTek modems connect to the rogue base station (either automatically or through signal strength manipulation)
- The rogue base station transmits malformed cellular protocol messages
- The modem firmware processes these messages without proper bounds validation
- Out-of-bounds write occurs, corrupting modem memory
- Device experiences a system crash, resulting in denial of service
This type of attack is particularly concerning in high-density areas where an attacker could potentially affect multiple devices simultaneously.
Detection Methods for CVE-2025-20751
Indicators of Compromise
- Unexpected device reboots or crashes, particularly in specific geographic locations
- Modem firmware crash logs indicating memory corruption or segmentation faults
- Repeated connection attempts to unknown or suspicious cellular base stations
- Device instability when in proximity to potential rogue base station locations
- Kernel panic or system crash events correlated with cellular connectivity events
Detection Strategies
Due to the nature of this vulnerability affecting low-level modem firmware, detection is challenging. However, organizations can implement the following strategies:
- Device Management Platforms: Monitor enrolled devices for unusual crash patterns or restart frequencies that could indicate exploitation attempts
- Network Anomaly Detection: Deploy systems capable of detecting rogue base stations in enterprise environments
- Firmware Version Monitoring: Track modem firmware versions across the device fleet to identify unpatched systems
- Endpoint Telemetry: Collect and analyze crash reports from mobile devices, looking for patterns consistent with modem-related failures
Monitoring Recommendations
Organizations with devices containing affected MediaTek chipsets should:
- Implement mobile device management (MDM) solutions that can monitor device health and crash reports
- Consider deploying cellular network monitoring solutions in sensitive facilities to detect rogue base stations
- Establish baseline behavior for device stability and alert on deviations
- Review device logs for modem-related crash events, particularly those occurring in clusters or at specific locations
- Coordinate with security operations teams to correlate device crashes with physical security observations of potential rogue cellular equipment
How to Mitigate CVE-2025-20751
Immediate Actions Required
- Apply the latest firmware updates from device manufacturers that incorporate MediaTek's security patch (MOLY01661195)
- Review the MediaTek Product Security Bulletin for December 2025 for official guidance
- Inventory all devices with affected MediaTek chipsets in your organization
- Prioritize patching for devices used in sensitive environments or by high-risk personnel
- Consider restricting access to sensitive facilities for unpatched devices
Patch Information
MediaTek has released a security patch addressing this vulnerability, tracked as Patch ID MOLY01661195. The patch adds proper bounds checking to the affected modem code path. Device manufacturers (OEMs) must integrate this patch into their firmware updates.
Users should check with their device manufacturers for firmware updates that include this fix. The official MediaTek security advisory is available at: https://corp.mediatek.com/product-security-bulletin/December-2025
The patch timeline depends on OEM release schedules, as MediaTek provides patches to device manufacturers who then distribute updates to end users.
Workarounds
Due to the firmware-level nature of this vulnerability, complete workarounds are limited. However, organizations can reduce risk through the following measures:
- Avoid areas where rogue base stations may be deployed (though this is impractical for most users)
- Use airplane mode in high-risk locations where rogue base station attacks are suspected
- Deploy enterprise-grade rogue base station detection systems in sensitive facilities
- Implement network access controls that require firmware compliance for device connectivity
- Consider accelerated device refresh cycles for devices that cannot receive patches
Organizations should prioritize firmware updates as the primary mitigation strategy, as software workarounds cannot fully address the underlying modem firmware vulnerability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
