CVE-2025-20756 Overview
CVE-2025-20756 is a denial of service vulnerability in MediaTek modem firmware caused by a logic error. An attacker operating a rogue base station can crash the modem subsystem of a connected user equipment (UE), disrupting cellular service. The flaw requires no user interaction and no additional execution privileges. MediaTek disclosed the issue in its December 2025 Product Security Bulletin with patch ID MOLY01673749 and issue ID MSV-4643. The vulnerability is tracked under [CWE-1287] (Improper Validation of Specified Type of Input) and affects a broad range of MediaTek 4G and 5G chipsets used in smartphones, tablets, and connected devices.
Critical Impact
A nearby attacker controlling a rogue base station can remotely crash the modem of any vulnerable MediaTek-powered device within radio range, causing loss of cellular connectivity.
Affected Products
- MediaTek NR15 modem platform
- MediaTek 5G chipsets including MT6833, MT6853, MT6873, MT6875, MT6877, MT6883, MT6885, MT6889, MT6891, MT6893, and MT2735
- MediaTek automotive and tablet SoCs including MT8673, MT8675, MT8755, MT8791, MT8795T, MT8797, MT8798, and additional MT88xx series parts
Discovery Timeline
- 2025-12-02 - CVE-2025-20756 published to NVD
- 2026-02-17 - Last updated in NVD database
Technical Details for CVE-2025-20756
Vulnerability Analysis
The vulnerability exists in the baseband modem firmware shared across MediaTek's NR15 5G platform and dozens of related chipsets. A logic error in how the modem processes signaling messages received over the air interface allows specially crafted input to trigger an unrecoverable fault. When the modem subsystem crashes, the device loses radio connectivity until the baseband restarts. Because the flaw is reachable from an adjacent network position (CVSS vector AV:A), an attacker only needs proximity to the target device and the ability to operate a rogue base station broadcasting on a frequency the UE will attach to.
Root Cause
The root cause is improper validation of input received from the network, classified as [CWE-1287]. The modem accepts a message field whose contents violate protocol assumptions but are not rejected before being acted upon. The downstream code path then reaches an invalid state and the modem firmware terminates. MediaTek's fix is tracked as patch MOLY01673749.
Attack Vector
Exploitation requires the attacker to stand up a rogue base station, for example using a software-defined radio with open-source cellular stack software. Victim devices that perform cell reselection or initial attach toward the rogue cell will receive the malformed signaling message during the attach or registration procedure. The malformed message drives the modem into the faulty code path and the baseband crashes. No application-layer access, user interaction, or credentials on the target device are required.
No public proof-of-concept code is available. The vulnerability is described in prose only because no verified exploit samples have been released. For protocol-level technical context, refer to the MediaTek Security Bulletin December 2025.
Detection Methods for CVE-2025-20756
Indicators of Compromise
- Repeated modem reset events, baseband panic logs, or ril/rmnet service restarts on Android devices in a localized area
- Sudden loss of cellular service on multiple MediaTek-powered devices within the same physical location
- Unknown or unauthorized cell IDs, PLMN identifiers, or tracking area codes appearing in device radio logs
Detection Strategies
- Centralize and review mobile device baseband and radio logs from enterprise MDM or EMM platforms for crash signatures correlated with location
- Use cellular network monitoring or IMSI catcher detection tools to identify rogue base stations operating near sensitive sites
- Correlate user-reported connectivity outages on MediaTek devices with physical proximity to detect localized radio-based attacks
Monitoring Recommendations
- Track MediaTek firmware and OEM patch level on managed mobile devices and flag devices that lag the December 2025 security patch
- Alert on anomalous cellular reattach storms or unexplained baseband resets reported through telemetry from corporate-issued devices
- Monitor MediaTek's product security bulletin feed for related signaling vulnerabilities disclosed in the same patch cycle
How to Mitigate CVE-2025-20756
Immediate Actions Required
- Inventory mobile devices, tablets, automotive head units, and IoT endpoints that use the affected MediaTek chipsets listed in the bulletin
- Apply the December 2025 (or later) OEM security update containing MediaTek patch MOLY01673749 as soon as it is published by the device manufacturer
- Escalate with device OEMs that have not yet shipped the December 2025 MediaTek patch bundle to obtain a deployment timeline
Patch Information
MediaTek released the fix in its December 2025 Product Security Bulletin under patch ID MOLY01673749 and issue ID MSV-4643. The patch must be integrated by device OEMs and delivered through their normal firmware update channels. Refer to the MediaTek Security Bulletin December 2025 for the full list of affected chipsets and patch references.
Workarounds
- Restrict use of unpatched devices in environments where rogue base station attacks are plausible, such as high-risk travel or sensitive facilities
- Where supported by the device, disable automatic attachment to unknown or weak cellular networks and prefer 5G standalone with operator-validated cells
- Use cellular shielding or airplane mode in zones where rogue radio activity has been observed, until firmware updates are deployed
# Configuration example: check MediaTek firmware/security patch level on Android via adb
adb shell getprop ro.build.version.security_patch
adb shell getprop gsm.version.baseband
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
