CVE-2025-20755: Mediatek Nr15 DOS Vulnerability

CVE-2025-20755 Overview

CVE-2025-20755 is a Null Pointer Dereference vulnerability affecting the modem component in multiple MediaTek chipsets. The vulnerability exists due to improper input validation in the modem firmware, which can lead to an application crash and subsequent denial of service condition. This vulnerability is particularly concerning as it can be exploited remotely when a User Equipment (UE) device connects to a rogue base station controlled by an attacker.

The vulnerability has been assigned a CVSS 3.1 score of 5.3 (Medium severity) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H, indicating a network-based attack vector with high attack complexity requiring low privileges and no user interaction. The primary impact is on availability, with no effect on confidentiality or integrity.

Critical Impact

Remote denial of service attack possible through rogue base station, affecting modem functionality on devices using vulnerable MediaTek chipsets without requiring user interaction.

Affected Products

• MediaTek NR15 (5G modem software)
• MediaTek MT2735 (5G modem chipset)
• MediaTek MT6833, MT6833P (Dimensity 700 series)
• MediaTek MT6853, MT6853T (Dimensity 720 series)
• MediaTek MT6855, MT6855T (Dimensity 930 series)
• MediaTek MT6873, MT6875, MT6875T (Dimensity 800 series)
• MediaTek MT6877, MT6877T, MT6877TT (Dimensity 900 series)
• MediaTek MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893 (Dimensity 1000+ series)
• MediaTek MT8675, MT8771, MT8791, MT8791T, MT8797 (Tablet chipsets)

Discovery Timeline

• 2025-12-02 - CVE-2025-20755 published to NVD
• 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-20755

Vulnerability Analysis

The vulnerability is classified under CWE-476 (Null Pointer Dereference), indicating that the modem firmware fails to properly validate input before dereferencing a pointer. When malformed or unexpected data is received through the cellular interface, the modem software attempts to access memory through a null pointer, causing the application to crash.

The affected modem component handles cellular network communications including LTE and 5G NR protocols. The vulnerability exists in the signal processing layer where incoming network data is parsed and processed. MediaTek has tracked this issue internally as Patch ID: MOLY00628396 and Issue ID: MSV-4775.

With an EPSS score of 0.249% (48th percentile), the vulnerability has a relatively low predicted exploitation probability, though the attack surface through rogue base stations remains a concern for targeted attacks.

Root Cause

The root cause of CVE-2025-20755 is improper input validation in the modem firmware. When processing signaling data from a base station, the modem fails to verify that certain data structures are properly initialized before attempting to access them. This results in a null pointer dereference when a malicious or malformed signal is received.

The vulnerability specifically affects the handling of certain protocol messages where the modem assumes the presence of optional information elements without first verifying their existence. When these elements are absent or maliciously crafted, the resulting null pointer access causes the modem subsystem to crash.

Attack Vector

The attack requires the victim device to connect to a rogue base station controlled by the attacker. This can be accomplished through several methods:

1. Rogue Base Station Setup: The attacker deploys a fake cell tower (IMSI catcher or femtocell) that broadcasts stronger signals than legitimate towers, causing nearby devices to connect
2. Signal Manipulation: Once the device connects, the attacker sends specially crafted signaling messages that trigger the null pointer dereference
3. Denial of Service: The modem crashes, disrupting cellular connectivity for the affected device

The attack does not require user interaction and can be executed with low privileges from the attacker's perspective. However, the high attack complexity (requiring specialized equipment and proximity to the target) limits the practical exploitability.

Detection Methods for CVE-2025-20755

Indicators of Compromise

• Unexpected modem crashes or cellular connectivity drops
• Device logs showing modem subsystem restarts without user action
• Repeated attempts to re-establish cellular connections in rapid succession
• System logs indicating null pointer exceptions in modem-related processes
• Unusual baseband or RIL (Radio Interface Layer) error messages

Detection Strategies

Detection of this vulnerability being exploited is challenging due to the nature of cellular communications. Organizations should implement the following strategies:

Device-Level Monitoring: Enable verbose logging on mobile devices where possible to capture modem crash events. Monitor for patterns of repeated modem restarts that could indicate exploitation attempts.

Network Analysis: In enterprise environments with mobile device management (MDM) solutions, monitor for devices experiencing unusual connectivity patterns or repeated disconnections from cellular networks.

Baseband Anomaly Detection: Where available, implement baseband-level monitoring to detect anomalous signaling patterns that may indicate rogue base station activity.

Monitoring Recommendations

Organizations should leverage endpoint detection and response (EDR) solutions capable of monitoring mobile device health. SentinelOne Singularity Mobile provides visibility into device-level anomalies including:

• Monitoring cellular modem stability and crash events
• Detecting unusual network behavior patterns indicative of rogue base station connections
• Alerting on repeated modem subsystem failures
• Correlating device-level events with known attack patterns

Implement continuous monitoring of device fleet health to identify devices experiencing repeated connectivity issues that may indicate exploitation attempts.

How to Mitigate CVE-2025-20755

Immediate Actions Required

• Apply the latest firmware updates from device manufacturers that incorporate MediaTek's security patches
• Check device vendor security bulletins for availability of patches addressing MOLY00628396
• In high-security environments, consider restricting devices to known trusted cellular networks where possible
• Enable device logging to capture potential exploitation attempts
• Deploy mobile threat defense solutions to monitor device health

Patch Information

MediaTek has released a security patch identified by Patch ID MOLY00628396 addressing this vulnerability. The fix is documented in MediaTek's December 2025 Product Security Bulletin available at: https://corp.mediatek.com/product-security-bulletin/December-2025

Device manufacturers using affected MediaTek chipsets must integrate this patch into their firmware updates. End users should check with their device manufacturers for the availability of security updates and apply them promptly.

Affected chipsets span multiple product lines including Dimensity 700/720/800/900/1000+ series for smartphones and MT87xx series for tablets. Organizations should inventory devices with these chipsets and prioritize patching.

Workarounds

As this vulnerability exists in the modem firmware, there are limited workarounds available without applying the official patch. However, organizations can implement the following risk reduction measures:

Network Policy Restrictions: Where supported by enterprise MDM solutions, restrict devices to connect only to known carrier networks to reduce exposure to rogue base stations.

Physical Security: In high-security environments, implement RF shielding or use Faraday-protected meeting rooms to prevent unauthorized cellular connections.

Flight Mode: For sensitive operations, temporarily enable airplane mode to disable cellular connectivity, though this significantly impacts device usability.

Device Replacement: For critical use cases where patches are unavailable, consider replacing vulnerable devices with models using non-affected chipsets.

Note that these workarounds do not address the underlying vulnerability and should only be considered temporary measures until official patches can be applied.