CVE-2025-20762 Overview
CVE-2025-20762 is a denial of service vulnerability affecting the modem component in multiple MediaTek chipsets. The vulnerability exists due to incorrect error handling in the modem firmware, which can lead to a system crash when a device connects to a rogue base station controlled by an attacker. This vulnerability is particularly concerning for mobile devices and tablets utilizing affected MediaTek processors in environments where rogue cellular infrastructure may be deployed.
Critical Impact
Remote denial of service attack possible through rogue base station without user interaction or additional execution privileges required.
Affected Products
- MediaTek NR17 (5G Modem Software)
- MediaTek MT6835 / MT6835T (Smartphone SoCs)
- MediaTek MT6878 / MT6878M (Smartphone SoCs)
- MediaTek MT6897 / MT6899 (Smartphone SoCs)
- MediaTek MT6991 (Smartphone SoC)
- MediaTek MT8676 / MT8678 (Tablet SoCs)
- MediaTek MT8755 / MT8792 / MT8793 (Tablet/IoT SoCs)
- MediaTek MT8863 / MT8873 / MT8883 (Tablet SoCs)
Discovery Timeline
- January 6, 2026 - CVE-2025-20762 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-20762
Vulnerability Analysis
This vulnerability stems from improper error handling within the MediaTek modem component (CWE-617: Reachable Assertion). When a User Equipment (UE) device connects to a malicious base station, the modem firmware fails to properly handle certain error conditions, resulting in an assertion failure that causes the entire system to crash.
The attack scenario requires the victim device to connect to a rogue base station operated by an attacker. This can occur in scenarios where an attacker deploys fake cellular infrastructure to lure devices, commonly known as IMSI catcher or Stingray-type attacks. Once a device associates with the malicious base station, the attacker can trigger the vulnerability remotely without any user interaction.
The vulnerability affects devices that cannot gracefully recover from malformed or unexpected protocol responses during cellular network communication. The modem firmware's reliance on assertions for error handling creates a denial of service condition rather than implementing resilient error recovery mechanisms.
Root Cause
The root cause is identified as CWE-617 (Reachable Assertion), indicating that the modem firmware contains assertion checks that can be triggered through external input. When the assertion fails due to unexpected data from a rogue base station, it causes an unrecoverable system crash rather than handling the error gracefully and continuing operation.
Attack Vector
The attack is network-based, requiring the attacker to operate a rogue cellular base station within range of the target device. The attack flow follows this pattern:
- Attacker deploys a rogue base station (fake cell tower) with stronger signal than legitimate towers
- Target device's modem automatically connects to the rogue base station
- Attacker sends malformed or unexpected data that triggers the assertion failure
- Device experiences a complete system crash requiring reboot
- Attack can be repeated continuously to maintain denial of service
No user interaction is required for exploitation, and no additional execution privileges beyond network access are needed. The vulnerability can be exploited remotely once the device associates with the malicious infrastructure.
Detection Methods for CVE-2025-20762
Indicators of Compromise
- Unexpected device reboots or crashes when in areas with unknown cellular coverage
- Repeated modem crashes logged in system diagnostics referencing assertion failures
- Device connecting to unfamiliar cell tower IDs (CID) or Location Area Codes (LAC)
- Modem firmware crash dumps indicating error handling failures in cellular protocol processing
Detection Strategies
- Monitor device crash logs for modem-related assertion failures with Patch ID MOLY01685181 or Issue ID MSV-4760 references
- Implement cellular network anomaly detection to identify connections to suspicious base stations
- Deploy endpoint detection solutions capable of monitoring modem firmware behavior and crash patterns
- Analyze baseband processor logs for abnormal termination events following network association
Monitoring Recommendations
- Configure enterprise mobile device management (MDM) solutions to alert on repeated device reboots
- Implement network traffic analysis to detect potential rogue base station deployment in sensitive areas
- Enable detailed modem logging on test devices to identify exploitation attempts
- Coordinate with carriers to validate cell tower authenticity in high-security environments
How to Mitigate CVE-2025-20762
Immediate Actions Required
- Apply the latest firmware updates from device manufacturers incorporating MediaTek's patch (Patch ID: MOLY01685181)
- Review device fleet for affected MediaTek chipsets and prioritize updates accordingly
- In high-security environments, consider restricting device usage in areas susceptible to rogue base station deployment
- Enable automatic security updates on all affected devices
Patch Information
MediaTek has released a security patch addressing this vulnerability. The fix is tracked as Patch ID: MOLY01685181 and Issue ID: MSV-4760. Device manufacturers using affected MediaTek chipsets should integrate this patch into their firmware updates. End users should apply updates from their device manufacturer or carrier as they become available. Detailed patch information is available in the MediaTek Security Bulletin - January 2026.
Workarounds
- Avoid using devices with affected chipsets in environments where rogue base station attacks are a concern
- Where possible, disable cellular connectivity and use Wi-Fi only in high-risk scenarios
- Implement physical security measures in sensitive facilities to prevent rogue base station deployment
- Consider using devices with baseband firewalls or enhanced cellular security features until patches are applied
# Verify MediaTek modem firmware version on Android devices
adb shell getprop gsm.version.baseband
# Check for security patch level
adb shell getprop ro.build.version.security_patch
# Monitor modem crash events
adb logcat -b crash | grep -i modem
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
