CVE-2025-20790 Overview
CVE-2025-20790 is a Null Pointer Dereference vulnerability affecting the modem component in multiple MediaTek chipsets. The vulnerability stems from improper input validation in the modem firmware, which can lead to a system crash when a User Equipment (UE) device connects to a rogue base station controlled by an attacker. This remote denial of service vulnerability requires no additional execution privileges and no user interaction for exploitation.
The attack scenario involves an adversary setting up a malicious base station that can send specially crafted input to vulnerable MediaTek modem firmware. When a device with an affected chipset connects to this rogue base station, the improper input validation triggers a null pointer dereference, causing the entire system to crash.
Critical Impact
Remote denial of service affecting mobile devices with MediaTek chipsets through rogue base station attacks requiring no user interaction
Affected Products
- MediaTek NR15 (5G Modem Software)
- MediaTek MT2735 Modem
- MediaTek MT6833/MT6833P (Dimensity 700 series)
- MediaTek MT6853/MT6853T (Dimensity 720 series)
- MediaTek MT6855/MT6855T (Dimensity 930)
- MediaTek MT6873 (Dimensity 800 series)
- MediaTek MT6875/MT6875T (Dimensity 820)
- MediaTek MT6877/MT6877T/MT6877TT (Dimensity 900/920)
- MediaTek MT6880 (Dimensity 1000)
- MediaTek MT6883/MT6885 (Dimensity 1000+)
- MediaTek MT6889/MT6890/MT6891/MT6893 (Dimensity 1200 series)
- MediaTek MT8675/MT8771/MT8791/MT8791T/MT8797 Tablet Chipsets
Discovery Timeline
- 2025-12-02 - CVE-2025-20790 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-20790
Vulnerability Analysis
This vulnerability is classified as CWE-476 (NULL Pointer Dereference) and has been assigned a CVSS v3.1 score of 5.3 (Medium severity). The CVSS vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H indicates:
- Attack Vector (AV:N): Network-based attack, exploitable remotely
- Attack Complexity (AC:H): High complexity - requires setting up a rogue base station
- Privileges Required (PR:L): Low privileges needed
- User Interaction (UI:N): No user interaction required
- Scope (S:U): Unchanged - impact limited to vulnerable component
- Confidentiality (C:N): No impact on confidentiality
- Integrity (I:N): No impact on integrity
- Availability (A:H): High impact on availability - system crash
The Exploit Prediction Scoring System (EPSS) indicates a 0.22% probability of exploitation in the wild, placing this vulnerability in the 44.63rd percentile as of 2025-12-16.
Root Cause
The root cause of CVE-2025-20790 lies in insufficient input validation within the MediaTek modem firmware's baseband signal processing routines. When the modem receives certain malformed signaling messages from a cellular base station, the firmware fails to properly validate the input before dereferencing pointers, resulting in a null pointer dereference condition.
The modem firmware component responsible for handling Layer 3 signaling messages from base stations does not adequately check for null or invalid data structures before attempting to process them. This allows an attacker controlling a rogue base station to craft specific signaling messages that trigger the null pointer dereference when processed by the vulnerable modem firmware.
Attack Vector
The attack requires an adversary to establish a rogue cellular base station (fake cell tower) within radio range of the target device. Modern Software Defined Radio (SDR) equipment and open-source base station software make this attack scenario increasingly feasible.
The attack flow proceeds as follows:
- Attacker deploys a rogue base station with stronger signal strength than legitimate towers in the area
- Target device with vulnerable MediaTek chipset automatically connects to the stronger signal
- Rogue base station sends malformed signaling messages to the connected device
- MediaTek modem firmware processes the malformed input without proper validation
- Null pointer dereference occurs, causing immediate system crash
- Device becomes unresponsive until manually restarted
This vulnerability is particularly concerning in scenarios where availability is critical, such as emergency communications or IoT devices in remote locations.
Detection Methods for CVE-2025-20790
Indicators of Compromise
- Unexpected device reboots or crashes without apparent cause
- Multiple system crashes occurring in the same geographic location
- Modem subsystem crash logs indicating null pointer exceptions
- Unusual cellular connection behavior or frequent re-associations with base stations
- Device crash dumps showing modem firmware exceptions
Detection Strategies
Detecting exploitation of this vulnerability is challenging due to its nature at the modem firmware level. Organizations should consider the following approaches:
Device-Level Monitoring:
- Monitor for frequent unexpected device reboots or crashes
- Analyze modem crash dumps for null pointer dereference patterns
- Track cellular connection anomalies and frequent handoffs
Network-Level Detection:
- Deploy RF spectrum analysis to detect unauthorized base stations
- Monitor for anomalous cellular tower patterns in controlled environments
- Use cellular security solutions that can detect rogue base station activity
Enterprise MDM Integration:
- Configure Mobile Device Management solutions to alert on repeated device crashes
- Track device health metrics across fleet deployments
- Correlate crash events geographically to identify potential attack zones
Monitoring Recommendations
Organizations with fleets of devices containing affected MediaTek chipsets should implement enhanced monitoring:
- Crash Analytics: Aggregate and analyze crash reports from managed devices to identify patterns consistent with exploitation
- Geolocation Correlation: Cross-reference device crash events with location data to identify potential rogue base station hotspots
- Firmware Version Tracking: Maintain inventory of modem firmware versions across the device fleet to prioritize patching
- Cellular Anomaly Detection: Where possible, monitor for unusual cellular network behavior that might indicate rogue infrastructure
How to Mitigate CVE-2025-20790
Immediate Actions Required
- Apply the MediaTek security patch MOLY01677581 through OEM firmware updates as soon as available
- Review device fleet inventory to identify all devices containing affected MediaTek chipsets
- Prioritize patching for devices used in security-sensitive or availability-critical applications
- Consider temporary cellular connectivity restrictions for high-value assets in untrusted RF environments
- Enable any available modem crash logging to assist in incident detection
Patch Information
MediaTek has released a security patch identified as MOLY01677581 to address this vulnerability. The patch is documented in MediaTek's December 2025 Product Security Bulletin available at: https://corp.mediatek.com/product-security-bulletin/December-2025
The fix is tracked internally by MediaTek under Issue ID MSV-4701. Device manufacturers (OEMs) must integrate this patch into their firmware updates and distribute to end users through their respective update channels.
End users should:
- Check for firmware/system updates from their device manufacturer
- Install all available security updates promptly
- Contact device vendor support if updates are not available for their device model
Workarounds
Since this vulnerability exists at the modem firmware level, complete mitigation requires applying the vendor patch. However, the following interim measures may reduce exposure:
Reduce Attack Surface:
- Avoid using affected devices in locations where rogue base stations are more likely (public events, protests, sensitive facilities)
- Consider using airplane mode and WiFi-only connectivity in high-risk environments
- Disable automatic cellular network selection where possible to prevent automatic connection to unknown base stations
Enterprise Considerations:
- Implement mobile threat defense solutions that can detect rogue base station activity
- Use secure communications applications that can operate over WiFi as an alternative
- Consider cellular signal shielding in sensitive facilities
- Deploy enterprise-grade RF monitoring to detect unauthorized cellular infrastructure
For critical infrastructure or high-security environments, consider using devices with chipsets from vendors that have already patched this vulnerability until MediaTek-based devices can be updated.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
