CVE-2025-20754 Overview
CVE-2025-20754 is a medium-severity vulnerability affecting MediaTek modem components across a wide range of chipsets used in smartphones, tablets, and other mobile devices. The vulnerability exists in the modem firmware due to an incorrect bounds check, which could allow a remote attacker to cause a system crash leading to denial of service.
The attack requires the victim's device (User Equipment or UE) to connect to a rogue base station controlled by the attacker. No additional execution privileges are needed for exploitation, and user interaction is not required, making this a particularly concerning vulnerability for mobile device security.
Critical Impact
Remote denial of service attack possible when device connects to attacker-controlled rogue base station, causing system crash without user interaction.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R modem firmware
- MediaTek MT67xx series chipsets (MT6813, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991)
- MediaTek MT27xx series modems (MT2735, MT2737)
- MediaTek MT87xx series chipsets (MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893)
Discovery Timeline
- December 2, 2025 - CVE-2025-20754 published to NVD
- December 4, 2025 - Last updated in NVD database
Technical Details for CVE-2025-20754
Vulnerability Analysis
This vulnerability is classified under CWE-248 (Uncaught Exception), indicating that the modem firmware fails to properly handle exceptional conditions during bounds checking operations. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H.
The CVSS metrics indicate:
- Attack Vector (AV:N): Network-based attack
- Attack Complexity (AC:H): High complexity - requires setting up a rogue base station
- Privileges Required (PR:L): Low privileges needed
- User Interaction (UI:N): No user interaction required
- Scope (S:U): Unchanged - impact limited to vulnerable component
- Confidentiality (C:N): No confidentiality impact
- Integrity (I:N): No integrity impact
- Availability (A:H): High availability impact - system crash
The Exploit Prediction Scoring System (EPSS) rates this vulnerability at 0.214% probability of exploitation, placing it in the 44th percentile.
Root Cause
The root cause of CVE-2025-20754 lies in an incorrect bounds check within the MediaTek modem firmware. When processing certain network signaling data, the modem component fails to properly validate input boundaries, leading to an uncaught exception condition. This improper validation allows malformed data from a rogue base station to trigger a system crash.
The vulnerability is tracked internally by MediaTek as Patch ID: MOLY01689251 and Issue ID: MSV-4840.
Attack Vector
The attack vector for this vulnerability involves setting up a rogue cellular base station (fake cell tower) that the victim's mobile device connects to. The attack scenario proceeds as follows:
Rogue Base Station Setup: The attacker deploys a malicious base station with a stronger signal than legitimate towers in the area, or targets areas with weak cellular coverage.
Device Connection: When the victim's device with an affected MediaTek chipset connects to the rogue base station, the attacker has a communication channel to the device's modem.
Malicious Payload Delivery: The attacker sends specially crafted signaling data that triggers the improper bounds check in the modem firmware.
System Crash: The modem component fails to handle the malformed input properly, resulting in an uncaught exception that causes the entire system to crash.
This attack does not require any user interaction - the device will automatically connect to the strongest available cellular signal, making this vulnerability exploitable in a passive manner once the rogue infrastructure is in place.
Detection Methods for CVE-2025-20754
Indicators of Compromise
- Unexpected device reboots or system crashes without apparent cause
- Device connecting to unrecognized or suspicious cellular base stations
- Abnormal modem behavior or repeated connection drops in specific locations
- System logs showing modem-related crashes or exceptions
Detection Strategies
Organizations can implement the following detection strategies to identify potential exploitation attempts:
Device Monitoring: Deploy mobile device management (MDM) solutions that can track and alert on unexpected device reboots or crashes. Look for patterns of crashes that correlate with specific geographic locations, which could indicate the presence of a rogue base station.
Network Analysis: Monitor for anomalous cellular network behavior in enterprise environments. Tools that can detect rogue base stations or IMSI catchers can help identify the infrastructure needed for this attack.
Firmware Version Auditing: Maintain an inventory of device firmware versions across the organization to identify devices running vulnerable MediaTek modem firmware that requires patching.
Monitoring Recommendations
- Implement centralized logging for mobile device crash reports and analyze for modem-related failures
- Deploy rogue base station detection solutions in high-security areas
- Configure MDM platforms to alert on unusual patterns of device instability
- Monitor vendor security bulletins for firmware updates addressing this vulnerability
- Track EPSS score changes for this CVE to assess evolving exploitation likelihood
How to Mitigate CVE-2025-20754
Immediate Actions Required
- Check device firmware versions against MediaTek's security advisory to determine if affected chipsets are present in your device fleet
- Apply available firmware updates from device manufacturers that incorporate MediaTek patch MOLY01689251
- In high-security environments, consider deploying rogue base station detection systems
- Educate users about the risks of connecting to untrusted cellular networks
Patch Information
MediaTek has released security patch MOLY01689251 to address this vulnerability. The patch information is documented in MediaTek's December 2025 Product Security Bulletin.
Device manufacturers using affected MediaTek chipsets must integrate this patch into their firmware updates. End users should:
- Check their device manufacturer's website for security updates
- Ensure automatic system updates are enabled
- Apply updates as soon as they become available from the device OEM
The patch addresses the bounds checking issue in the modem component, ensuring proper validation of input data to prevent the uncaught exception condition.
Workarounds
Since this vulnerability exists in modem firmware, there are limited workarounds available without applying the official patch. However, organizations can reduce risk through the following measures:
Network Security Controls: In environments where possible, restrict devices from connecting to unknown or unauthorized cellular networks. Some MDM solutions provide cellular network whitelisting capabilities.
Physical Security: In high-security facilities, consider using cellular signal blocking or dedicated indoor cellular infrastructure to prevent connections to external rogue base stations.
Device Selection: For new device deployments, verify that MediaTek-based devices ship with firmware versions that include the security patch.
User Awareness: Train users to report unusual device behavior such as unexpected reboots, especially when occurring in specific locations, as this could indicate an active exploitation attempt.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
