CVE-2025-20752 Overview
CVE-2025-20752 is a medium-severity denial of service vulnerability affecting MediaTek modem components across a wide range of chipsets. The vulnerability exists in the Modem component where a missing bounds check can lead to a system crash. This flaw enables remote denial of service attacks when a User Equipment (UE) device connects to a rogue base station controlled by an attacker, requiring no additional execution privileges or user interaction for exploitation.
Critical Impact
Remote denial of service attack possible via rogue base station, causing system crashes on affected MediaTek-powered devices without user interaction.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R modem firmware
- MediaTek MT2735 and MT2737 chipsets
- MediaTek MT68xx series (MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899)
- MediaTek MT69xx series (MT6980, MT6980D, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991)
- MediaTek MT8676 and MT8791T chipsets
Discovery Timeline
- 2025-12-02 - CVE-2025-20752 published to NVD
- 2025-12-04 - Last updated in NVD database
Technical Details for CVE-2025-20752
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the modem firmware contains an assertion that can be triggered by external input, leading to a system crash. The CVSS 3.1 score is 6.5 (Medium), with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating:
- Attack Vector: Network-based exploitation
- Attack Complexity: Low - straightforward to exploit
- Privileges Required: Low - some access needed
- User Interaction: None required
- Impact: High availability impact with no confidentiality or integrity impact
The EPSS score of 0.214% places this vulnerability at the 44th percentile, suggesting a relatively low but non-negligible probability of exploitation in the wild.
Root Cause
The vulnerability stems from a missing bounds check in the MediaTek modem component. When processing certain network signaling data from a base station, the modem firmware fails to properly validate input boundaries before processing. This missing validation allows specially crafted data to trigger an assertion failure or out-of-bounds memory access, resulting in a system crash.
The vulnerability is tracked internally by MediaTek under Patch ID: MOLY01270690 and Issue ID: MSV-4301.
Attack Vector
The attack requires the victim device to connect to a rogue cellular base station controlled by the attacker. In this scenario:
- The attacker deploys a malicious base station (commonly known as an IMSI catcher or stingray device)
- The victim's device, using a vulnerable MediaTek modem, connects to the rogue base station
- The attacker sends specially crafted signaling messages that exploit the missing bounds check
- The modem firmware crashes, causing a denial of service on the device
This attack is particularly concerning because it requires no user interaction and the victim may not be aware they have connected to a malicious base station. The attack can be repeated to continuously disrupt the device's cellular connectivity.
Detection Methods for CVE-2025-20752
Indicators of Compromise
- Unexpected device reboots or modem crashes when in certain geographic areas
- Repeated loss of cellular connectivity followed by system instability
- Crash logs indicating modem-related assertion failures or segmentation faults
- Device consistently connecting to unknown or suspicious cell towers
Detection Strategies
Organizations can implement the following detection strategies:
- Device Log Monitoring: Monitor device logs for modem crash events, particularly those referencing assertion failures in modem firmware components
- Network Anomaly Detection: Deploy cellular network monitoring solutions to detect rogue base stations in the vicinity of critical locations
- Firmware Version Auditing: Maintain an inventory of devices with MediaTek chipsets and track firmware versions to identify vulnerable systems
- Behavioral Analysis: Monitor for patterns of repeated device crashes or connectivity issues that may indicate active exploitation attempts
Monitoring Recommendations
Security teams should implement comprehensive monitoring for devices running affected MediaTek chipsets:
- Enable crash reporting and centralized log collection for mobile devices
- Deploy MDM (Mobile Device Management) solutions to track firmware versions and device health
- Consider implementing RF monitoring solutions in sensitive environments to detect rogue base stations
- Establish baseline connectivity patterns to identify anomalous behavior that may indicate attack attempts
How to Mitigate CVE-2025-20752
Immediate Actions Required
- Update device firmware to the latest version containing MediaTek's patch (MOLY01270690)
- Review the MediaTek December 2025 Security Bulletin for device-specific update information
- Implement MDM policies to enforce firmware updates across enterprise mobile fleets
- Consider restricting device usage in high-risk areas where rogue base stations may be deployed
Patch Information
MediaTek has released a security patch addressing this vulnerability, tracked as Patch ID: MOLY01270690. Device manufacturers (OEMs) must integrate this patch into their firmware updates. Users should check with their device manufacturer or carrier for the availability of security updates.
The official security bulletin is available at: https://corp.mediatek.com/product-security-bulletin/December-2025
Organizations should prioritize patching based on device exposure and criticality, particularly for devices used in sensitive environments or by personnel handling confidential information.
Workarounds
As this vulnerability exists at the modem firmware level, complete mitigation requires applying the vendor patch. However, the following interim measures can reduce exposure:
- Limit Cellular Connectivity: In high-security environments, consider using Wi-Fi-only connectivity where feasible to reduce exposure to rogue base station attacks
- Employ RF Shielding: In sensitive facilities, implement RF shielding to prevent unauthorized cellular connections
- Device Isolation: Isolate critical communications to devices with patched firmware or alternative chipsets
- User Awareness: Educate users about the risks of operating in areas with potential rogue base station presence
Organizations should prioritize firmware updates as the definitive remediation, as workarounds provide only partial protection against this vulnerability class.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
