CVE-2025-20759 Overview
CVE-2025-20759 is an out-of-bounds read vulnerability affecting MediaTek modem firmware across a wide range of chipsets. The vulnerability exists in the Modem component due to a missing bounds check, which could allow an attacker to trigger a remote denial of service condition. Exploitation requires the victim's User Equipment (UE) to connect to a rogue base station controlled by the attacker. No additional execution privileges or user interaction is required for exploitation.
This vulnerability is classified as CWE-125 (Out-of-Bounds Read), a memory safety issue that occurs when software reads data past the end or before the beginning of an intended buffer. In the context of cellular modem firmware, such vulnerabilities can be particularly dangerous as they may be exploited through malicious network infrastructure.
Critical Impact
Remote denial of service affecting mobile devices with MediaTek modem chipsets when connected to a malicious base station. The attack requires no user interaction and no special privileges.
Affected Products
- MediaTek MT6833, MT6833P (Dimensity 700 series)
- MediaTek MT6853, MT6853T, MT6855, MT6855T (Dimensity 720/800 series)
- MediaTek MT6873, MT6875, MT6875T (Dimensity 800U series)
- MediaTek MT6877, MT6877T, MT6877TT (Dimensity 900 series)
- MediaTek MT6879, MT6880, MT6883, MT6885, MT6886 (Dimensity 1000 series)
- MediaTek MT6889, MT6890, MT6891, MT6893 (Dimensity 1100/1200 series)
- MediaTek MT6895, MT6895TT, MT6896 (Dimensity 8000 series)
- MediaTek MT6980, MT6980D, MT6983, MT6983T (Dimensity 9000 series)
- MediaTek MT6985, MT6985T, MT6989, MT6989T, MT6990 (Dimensity 9200+ series)
- MediaTek MT2735, MT2737 (5G modem chips)
- MediaTek MT8673, MT8675, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 (Tablet/Chromebook chipsets)
- MediaTek NR15, NR16 (5G NR modem firmware)
Discovery Timeline
- December 2, 2025 - CVE-2025-20759 published to NVD
- December 3, 2025 - Last updated in NVD database
Technical Details for CVE-2025-20759
Vulnerability Analysis
The vulnerability resides in MediaTek's modem firmware, specifically tracked as Patch ID: MOLY01673760 and Issue ID: MSV-4650. The flaw is characterized as an out-of-bounds read condition resulting from insufficient bounds checking when processing data in the modem subsystem.
The CVSS 3.1 score of 6.5 (Medium severity) reflects the network-based attack vector with low attack complexity. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H indicates:
| Metric | Value | Description |
|---|---|---|
| Attack Vector | Network | Exploitable remotely via rogue base station |
| Attack Complexity | Low | No special conditions required |
| Privileges Required | Low | Attacker needs ability to operate rogue base station |
| User Interaction | None | Victim device auto-connects without user action |
| Confidentiality Impact | None | No data exposure |
| Integrity Impact | None | No data modification |
| Availability Impact | High | Complete denial of service possible |
The EPSS (Exploit Prediction Scoring System) probability is 0.189% with a percentile ranking of 40.99, indicating a relatively moderate likelihood of exploitation in the wild.
Root Cause
The root cause of CVE-2025-20759 is a missing bounds check in the MediaTek modem firmware. When the modem processes certain data structures or protocol messages, it fails to validate that read operations remain within allocated buffer boundaries. This allows memory outside the intended buffer to be accessed, leading to undefined behavior and potential service disruption.
Out-of-bounds read vulnerabilities in modem firmware are particularly concerning because:
- The modem operates at a privileged level separate from the main application processor
- Cellular protocol handling involves complex state machines processing untrusted network data
- Modem crashes or hangs can cause complete loss of cellular connectivity
Attack Vector
The attack requires the victim's device to connect to a rogue base station (fake cell tower) controlled by the attacker. This attack scenario involves:
- Rogue Base Station Setup: The attacker deploys a malicious cellular base station that mimics a legitimate cell tower
- Device Connection: The victim's device connects to the rogue base station, either through signal strength manipulation or when legitimate towers are unavailable
- Malicious Data Transmission: The attacker sends specially crafted protocol messages that trigger the out-of-bounds read condition in the modem firmware
- Denial of Service: The vulnerability causes the modem subsystem to crash or hang, resulting in loss of cellular connectivity
This type of attack is commonly referred to as an IMSI catcher or Stingray-style attack, though in this case the goal is service disruption rather than surveillance.
Detection Methods for CVE-2025-20759
Indicators of Compromise
- Unexpected cellular connectivity loss or modem crashes without apparent cause
- Device logs showing modem subsystem failures or restarts
- Repeated modem firmware exceptions in system logs
- Unusual connection patterns to cellular networks with weak authentication
Detection Strategies
Network-Level Detection:
Organizations with cellular network visibility should monitor for anomalous base station behavior and implement detection mechanisms for rogue cell towers in sensitive areas.
Device-Level Detection:
- Monitor system logs for modem crash events or MOLY error codes
- Track cellular connectivity stability metrics across device fleets
- Implement cellular anomaly detection in mobile device management (MDM) solutions
SentinelOne Protection:
SentinelOne's Singularity platform provides endpoint visibility that can help identify abnormal device behavior patterns that may indicate exploitation attempts. While modem-level attacks occur below the operating system, the resulting system instability and crash events can be correlated and analyzed.
Monitoring Recommendations
- Fleet Monitoring: Organizations should monitor their mobile device fleet for unusual patterns of connectivity loss or device reboots
- Firmware Tracking: Maintain inventory of device firmware versions and prioritize updates for affected MediaTek chipsets
- Physical Security: In high-security environments, consider RF detection capabilities to identify rogue base stations
- Incident Correlation: Correlate cellular disruption events with physical location data to identify potential attack zones
How to Mitigate CVE-2025-20759
Immediate Actions Required
- Check device chipset model against the affected products list to determine exposure
- Apply firmware updates from device manufacturers as they become available
- Monitor MediaTek's Product Security Bulletin for December 2025 for updated guidance
- In high-risk environments, consider limiting cellular connectivity for sensitive operations until patched
- Enable automatic system updates on affected devices to receive patches promptly
Patch Information
MediaTek has released a security patch identified as MOLY01673760 to address this vulnerability. The fix is documented in MediaTek's December 2025 Product Security Bulletin available at: https://corp.mediatek.com/product-security-bulletin/December-2025
Device manufacturers integrating MediaTek chipsets will need to incorporate this patch into their firmware updates. End users should:
- Check with their device manufacturer for firmware update availability
- Apply Android security updates or device-specific updates when released
- For tablets and Chromebooks with affected MT87xx series chips, apply system updates from the respective platform
Workarounds
Since this vulnerability exists in modem firmware and requires connection to a rogue base station, the following risk reduction measures can be applied while awaiting patches:
For Enterprise Environments:
- Implement Wi-Fi-only policies for sensitive operations where cellular connectivity is not essential
- Deploy RF detection and monitoring solutions in high-security facilities
- Configure MDM policies to alert on repeated cellular connectivity issues
For Individual Users:
- Avoid areas where rogue base stations may be deployed (protests, high-value target locations)
- Use airplane mode with Wi-Fi only in situations where cellular security is a concern
- Keep devices updated with the latest available firmware
# Check Android device chipset (requires ADB access)
adb shell getprop ro.hardware
adb shell cat /proc/cpuinfo | grep Hardware
# Monitor for modem crash events in Android logs
adb logcat | grep -i "modem\|MOLY\|cellular"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
