CVE-2025-20791: Mediatek Nr15 Modem DoS Vulnerability

CVE-2025-20791 Overview

CVE-2025-20791 is a Denial of Service vulnerability affecting the MediaTek Modem component across numerous MediaTek chipsets. The vulnerability stems from incorrect error handling in the modem firmware, which can lead to a system crash when a User Equipment (UE) device connects to a rogue base station controlled by an attacker.

This vulnerability is particularly concerning because it requires no user interaction for exploitation and no additional execution privileges. An attacker operating a malicious base station could trigger the vulnerability remotely, causing affected devices to crash and become temporarily unavailable.

Critical Impact

Remote denial of service attack possible through rogue base station connection, affecting mobile devices with vulnerable MediaTek chipsets without requiring user interaction.

Affected Products

• MediaTek NR15
• MediaTek MT2735
• MediaTek MT6833/MT6833P
• MediaTek MT6853/MT6853T
• MediaTek MT6855/MT6855T
• MediaTek MT6873
• MediaTek MT6875/MT6875T
• MediaTek MT6877/MT6877T/MT6877TT
• MediaTek MT6880
• MediaTek MT6883
• MediaTek MT6885
• MediaTek MT6889
• MediaTek MT6890
• MediaTek MT6891
• MediaTek MT6893
• MediaTek MT8675
• MediaTek MT8771
• MediaTek MT8791/MT8791T
• MediaTek MT8797

Discovery Timeline

• December 2, 2025 - CVE-2025-20791 published to NVD
• December 3, 2025 - Last updated in NVD database

Technical Details for CVE-2025-20791

Vulnerability Analysis

CVE-2025-20791 is classified under CWE-617 (Reachable Assertion), which describes a condition where the product contains an assertion that can be triggered by an attacker. In this case, the MediaTek modem firmware contains improper error handling logic that fails to gracefully manage unexpected conditions during cellular network communications.

The vulnerability carries a CVSS v3.1 score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H. This indicates:

• Attack Vector (AV:N): Network-based attack
• Attack Complexity (AC:H): High complexity required (rogue base station setup)
• Privileges Required (PR:L): Low privileges needed
• User Interaction (UI:N): No user interaction required
• Scope (S:U): Unchanged scope
• Confidentiality (C:N): No confidentiality impact
• Integrity (I:N): No integrity impact
• Availability (A:H): High availability impact

The EPSS (Exploit Prediction Scoring System) data shows a probability of 0.214% with a percentile ranking of 44.01%, indicating a moderate likelihood of exploitation in the wild.

Root Cause

The root cause of this vulnerability lies in the modem's error handling implementation. When the modem receives malformed or unexpected data from a base station, the error handling routines fail to properly validate and process the error conditions. Instead of gracefully recovering or ignoring the malformed input, the modem triggers an assertion or unhandled exception that results in a system crash.

This type of reachable assertion vulnerability (CWE-617) typically occurs when:

• Assertions intended for debugging are left in production code
• Error conditions are not properly anticipated in network protocol handling
• Input validation is insufficient for edge cases in cellular communication protocols

Attack Vector

The attack requires an adversary to operate a rogue base station within radio range of the target device. When a vulnerable device connects to this malicious base station, the attacker can send specially crafted cellular protocol messages that trigger the incorrect error handling in the modem firmware.

The attack scenario involves:

1. The attacker sets up a rogue base station (IMSI catcher or similar infrastructure)
2. The target device with a vulnerable MediaTek chipset connects to the rogue base station
3. The attacker sends malformed signaling messages through the rogue base station
4. The modem's error handling fails to process the malformed data correctly
5. An assertion or unhandled exception is triggered, causing the modem (and potentially the device) to crash

Since no user interaction is required, devices may automatically connect to the strongest available signal, making this attack particularly effective in areas where the attacker can establish signal dominance.

Detection Methods for CVE-2025-20791

Indicators of Compromise

• Unexpected device reboots or crashes, particularly in areas with potentially compromised cellular infrastructure
• Modem crash logs indicating assertion failures or unhandled exceptions
• Unusual cellular network behavior or connection patterns
• Crash dump files referencing modem firmware components
• System logs showing repeated modem subsystem restarts

Detection Strategies

Organizations can implement the following detection strategies:

1. Device Monitoring: Deploy mobile device management (MDM) solutions that can collect and analyze device crash reports, specifically monitoring for modem-related crashes.

2. Network Anomaly Detection: Monitor for unusual cellular network patterns that might indicate the presence of rogue base stations in the environment.

3. Firmware Version Auditing: Regularly audit device firmware versions to identify devices running vulnerable MediaTek modem firmware prior to patch ID MOLY01661189.

4. Crash Report Analysis: Implement automated analysis of device crash reports to identify patterns consistent with CVE-2025-20791 exploitation.

Monitoring Recommendations

Security teams should:

• Enable detailed logging on mobile devices where possible
• Implement centralized crash report collection for enterprise-managed devices
• Monitor for geographic clusters of device crashes that might indicate rogue base station activity
• Utilize cellular network monitoring tools to detect anomalous base station behavior
• Consider deploying IMSI catcher detection solutions in sensitive environments

How to Mitigate CVE-2025-20791

Immediate Actions Required

• Apply the security patch identified as MOLY01661189 from MediaTek through OEM firmware updates
• Check with device manufacturers for available security updates addressing this vulnerability
• Monitor the MediaTek Product Security Bulletin for December 2025 for additional guidance
• Identify all devices in your environment using affected MediaTek chipsets
• Prioritize patching for devices used in sensitive environments or by high-value targets

Patch Information

MediaTek has released a patch to address this vulnerability:

• Patch ID: MOLY01661189
• Issue ID: MSV-4298
• Advisory URL: https://corp.mediatek.com/product-security-bulletin/December-2025

Device manufacturers (OEMs) using affected MediaTek chipsets should integrate this patch into their firmware updates. End users should check with their device manufacturers for security updates that include this fix.

Workarounds

While awaiting patch deployment, consider the following workarounds:

1. Avoid High-Risk Areas: Users should be cautious when operating devices in areas where rogue base stations may be present, such as high-security targets, protest areas, or regions with known surveillance activity.

2. Enable Airplane Mode: In sensitive situations, enabling airplane mode will prevent the device from connecting to any base station, including rogue ones.

3. Use Alternative Communication Methods: Where possible, rely on Wi-Fi-based communication instead of cellular when in potentially compromised environments.

4. Device Selection: For new device procurement, verify that devices include firmware with patch MOLY01661189 applied.

# Check device chipset information (Android)
adb shell getprop ro.hardware
adb shell getprop ro.board.platform

# Review modem logs for crash indicators
adb logcat -b radio | grep -i "crash\|assert\|exception"