CVE-2025-20756 Overview
CVE-2025-20756 is a medium-severity vulnerability affecting MediaTek modem components across a wide range of chipsets. The vulnerability exists in the Modem firmware where a logic error can cause a system crash, leading to a remote denial of service condition. This attack is particularly concerning as it can be triggered when a User Equipment (UE) device connects to a rogue base station controlled by an attacker.
The vulnerability requires no additional execution privileges and no user interaction for exploitation, making it a significant concern for mobile devices and IoT equipment utilizing affected MediaTek chipsets. The attack vector is network-based, though it requires high attack complexity as the attacker must operate a rogue base station within range of the target device.
Critical Impact
Remote denial of service through system crash when device connects to attacker-controlled rogue base station. Affects 37+ MediaTek chipsets used in smartphones, tablets, and IoT devices.
Affected Products
- MediaTek NR15 (5G modem software)
- MediaTek MT2735 modem chipset
- MediaTek MT6833, MT6833P (Dimensity 700 series)
- MediaTek MT6853, MT6853T (Dimensity 720 series)
- MediaTek MT6855, MT6855T (Dimensity 930 series)
- MediaTek MT6873 (Dimensity 800 series)
- MediaTek MT6875, MT6875T (Dimensity 820)
- MediaTek MT6877, MT6877T, MT6877TT (Dimensity 900 series)
- MediaTek MT6880, MT6883, MT6885, MT6889 (Dimensity 1000 series)
- MediaTek MT6890, MT6891, MT6893 (Dimensity 1200 series)
- MediaTek MT8673, MT8675, MT8676, MT8678 tablet chipsets
- MediaTek MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793
- MediaTek MT8795T, MT8797, MT8798
- MediaTek MT8863, MT8873, MT8883, MT8893
Discovery Timeline
- December 2, 2025 - CVE-2025-20756 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-20756
Vulnerability Analysis
This vulnerability is classified under CWE-1287 (Improper Validation of Specified Type of Input). The flaw resides within the MediaTek modem firmware, specifically affecting the processing logic for cellular network communications.
The CVSS 3.1 base score is 5.3 (Medium severity) with the following vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
Breaking down the CVSS metrics:
- Attack Vector (AV:N): Network-based attack through cellular radio interface
- Attack Complexity (AC:H): High complexity requiring operation of a rogue base station
- Privileges Required (PR:L): Low privileges needed on the attacker side
- User Interaction (UI:N): No user interaction required
- Scope (S:U): Scope remains unchanged
- Confidentiality (C:N): No confidentiality impact
- Integrity (I:N): No integrity impact
- Availability (A:H): High availability impact due to system crash
The Exploit Prediction Scoring System (EPSS) indicates a 0.19% probability of exploitation, placing this vulnerability in the 41st percentile as of December 16, 2025.
Root Cause
The root cause of CVE-2025-20756 is a logic error within the MediaTek modem firmware's processing routines. When the modem firmware encounters specific malformed or unexpected input from a base station, the logic error causes improper handling of the input data, resulting in an unrecoverable state that triggers a system crash.
This type of vulnerability typically occurs when conditional logic fails to properly validate state transitions or when exception handling does not adequately cover edge cases in the cellular protocol stack. The affected code path is triggered during the connection establishment or data exchange phase with a cellular base station.
Attack Vector
The attack scenario for CVE-2025-20756 involves an adversary operating a rogue cellular base station (also known as a "stingray" or "IMSI catcher"). The attack flow is as follows:
- The attacker deploys a rogue base station that masquerades as a legitimate cellular tower
- The target device (smartphone, tablet, or IoT device with affected MediaTek chipset) connects to the rogue base station, either automatically or due to signal strength preferences
- The rogue base station sends specially crafted cellular protocol messages that exploit the logic error
- The modem firmware encounters the logic error condition and crashes
- The system crash results in denial of service, requiring device restart
This attack does not require any user interaction and can affect any device within radio range of the rogue base station. The attack is particularly effective in areas with weak legitimate cellular coverage or in targeted scenarios where devices can be lured to connect to the malicious base station.
Detection Methods for CVE-2025-20756
Indicators of Compromise
- Unexpected device reboots or crashes without apparent cause
- Modem firmware crash logs indicating MOLY01673749 or MSV-4643 error codes
- Cellular connectivity issues followed by system instability
- Multiple devices in the same area experiencing simultaneous crashes
- Unusual cellular signal patterns or unexpected base station connections in device logs
Detection Strategies
Network-Level Detection:
Organizations can deploy cellular network monitoring solutions to detect rogue base stations in their environment. These solutions analyze RF signals and protocol exchanges to identify unauthorized or suspicious base stations.
Device-Level Monitoring:
Mobile Device Management (MDM) solutions can monitor for patterns indicative of this attack, including:
- Frequency of unexpected reboots
- Modem crash events in system logs
- Unusual cellular connection patterns
SentinelOne Mobile Protection:
SentinelOne's mobile threat defense capabilities can detect anomalous device behavior patterns consistent with denial of service attacks, including repeated system crashes and cellular connectivity anomalies.
Monitoring Recommendations
Security teams should implement the following monitoring strategies:
- Crash Log Analysis: Regularly review modem crash logs for references to Patch ID MOLY01673749 or Issue ID MSV-4643
- Cellular Anomaly Detection: Deploy solutions capable of detecting rogue base stations in sensitive areas
- Fleet Monitoring: For organizations managing device fleets, monitor for clusters of device crashes that may indicate a localized attack
- Firmware Version Tracking: Maintain inventory of devices with affected MediaTek chipsets and track firmware update status
How to Mitigate CVE-2025-20756
Immediate Actions Required
- Identify all devices in your environment utilizing affected MediaTek chipsets
- Check device manufacturers' security bulletins for firmware updates addressing this vulnerability
- Prioritize updates for devices used in sensitive environments or with access to critical data
- Consider restricting device use in areas where rogue base station attacks are likely
- Enable any available modem security hardening features on affected devices
Patch Information
MediaTek has released a security patch addressing this vulnerability. The patch is identified as:
- Patch ID: MOLY01673749
- Issue ID: MSV-4643
The patch is documented in MediaTek's December 2025 Product Security Bulletin.
Device manufacturers (OEMs) must integrate this patch into their firmware updates. End users should contact their device manufacturer or check for system updates that incorporate the December 2025 MediaTek security patches.
Workarounds
Since this vulnerability exists at the modem firmware level, software-based workarounds are limited. However, organizations can implement the following risk reduction measures:
Physical Security Measures:
- Implement RF shielding in high-security areas to prevent rogue base station attacks
- Deploy cellular intrusion detection systems to identify unauthorized base stations
Operational Measures:
- Avoid using affected devices in areas with poor cellular coverage where rogue base stations could be more effective
- Enable airplane mode when in high-risk environments where rogue base stations may be present
- Use Wi-Fi calling when available to reduce reliance on cellular connectivity
Enterprise Controls:
Organizations with mobile device fleets should work with their MDM vendors to implement policies that can detect and respond to potential exploitation attempts while awaiting firmware updates from device manufacturers.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
