CVE-2025-20792 Overview
CVE-2025-20792 is a medium-severity vulnerability affecting MediaTek modem components that enables remote denial of service through improper input validation. The vulnerability exists in the modem firmware and can be exploited when a user equipment (UE) connects to a rogue base station controlled by an attacker. This allows the attacker to trigger a system crash without requiring any user interaction or additional execution privileges.
The attack vector is network-based, requiring the attacker to establish a malicious base station to which the target device connects. Once connected, the attacker can send specially crafted input that bypasses validation checks, resulting in a system crash and denial of service condition.
Critical Impact
Remote attackers operating rogue base stations can crash affected MediaTek-based devices without user interaction, potentially disrupting mobile communications for targeted victims.
Affected Products
- MediaTek NR15
- MediaTek MT2735
- MediaTek MT6833 / MT6833P
- MediaTek MT6853 / MT6853T
- MediaTek MT6855 / MT6855T
- MediaTek MT6873
- MediaTek MT6875 / MT6875T
- MediaTek MT6877 / MT6877T / MT6877TT
- MediaTek MT6880
- MediaTek MT6883
- MediaTek MT6885
- MediaTek MT6889
- MediaTek MT6890
- MediaTek MT6891
- MediaTek MT6893
- MediaTek MT8791T
Discovery Timeline
- 2025-12-02 - CVE-2025-20792 published to NVD
- 2025-12-03 - Last updated in NVD database
Technical Details for CVE-2025-20792
Vulnerability Analysis
This vulnerability is classified under CWE-617 (Reachable Assertion), indicating that the modem firmware contains an assertion that can be triggered by external input, leading to a crash. The CVSS 3.1 score is 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H.
The attack complexity is rated as High (AC:H) because it requires the attacker to successfully deploy a rogue base station and have the target device connect to it. However, once these conditions are met, exploitation requires no user interaction (UI:N) and only low privileges (PR:L).
The EPSS (Exploit Prediction Scoring System) probability for this vulnerability is 0.214%, placing it in the 44th percentile, suggesting a moderate likelihood of exploitation in the wild.
Root Cause
The root cause of CVE-2025-20792 lies in improper input validation within the MediaTek modem firmware. When processing certain network signaling messages from a base station, the modem fails to adequately validate input parameters before processing them. This allows malformed or unexpected data to reach a code path containing a reachable assertion, triggering an immediate system crash.
The vulnerability is tracked internally by MediaTek under Patch ID MOLY01717526 and Issue ID MSV-5591.
Attack Vector
The attack requires an adversary to deploy a rogue cellular base station (also known as a fake base station, IMSI catcher, or cell site simulator). When a target device with an affected MediaTek modem connects to this malicious base station, the attacker can transmit specially crafted signaling messages that exploit the input validation flaw.
The attack flow consists of the following stages:
- The attacker deploys a rogue base station in proximity to the target
- The target device performs a handoff or initial connection to the rogue station
- The attacker sends malformed network signaling data that bypasses input validation
- The modem firmware encounters an assertion failure and crashes
- The device experiences a denial of service condition
This attack does not require physical access to the device, stolen credentials, or any user interaction, making it particularly dangerous in targeted attack scenarios.
Detection Methods for CVE-2025-20792
Indicators of Compromise
- Unexpected device reboots or modem crashes without apparent cause
- Repeated loss of cellular connectivity in specific geographic locations
- System logs showing modem assertion failures or watchdog resets
- Multiple devices in the same area experiencing simultaneous connectivity issues
Detection Strategies
Network-level detection of this vulnerability is challenging due to the nature of cellular communications. However, organizations can implement the following strategies:
Device-Level Monitoring:
- Monitor for abnormal modem crash patterns in device logs
- Track frequency of cellular radio resets and modem restarts
- Implement crash reporting mechanisms for mobile device fleets
Environmental Awareness:
- Deploy rogue base station detection systems in sensitive areas
- Monitor for anomalous cellular signal patterns that may indicate fake base stations
- Use enterprise mobility management (EMM) solutions to track device health metrics
Behavioral Analysis:
- Establish baselines for normal modem restart frequency
- Alert on deviations from expected device stability patterns
Monitoring Recommendations
Organizations managing fleets of devices with affected MediaTek chipsets should implement centralized logging and monitoring for modem-related events. SentinelOne Singularity provides endpoint visibility that can help identify patterns of device instability that may indicate exploitation attempts.
Key metrics to monitor include:
- Modem crash frequency per device
- Geographic correlation of device issues
- Time-based patterns that may indicate targeted attacks
How to Mitigate CVE-2025-20792
Immediate Actions Required
- Identify all devices in your environment using affected MediaTek chipsets
- Apply the December 2025 security update from MediaTek when available from your device manufacturer
- Educate users about the risks of connecting to unknown or suspicious cellular networks
- Consider implementing mobile device management (MDM) policies to enforce security updates
Patch Information
MediaTek has released a security patch addressing this vulnerability, tracked as Patch ID MOLY01717526. The fix is documented in MediaTek's December 2025 Product Security Bulletin available at: https://corp.mediatek.com/product-security-bulletin/December-2025
Device manufacturers using affected MediaTek chipsets will need to integrate this patch into their firmware updates. End users should contact their device manufacturers or carriers for the specific timeline of patch availability for their devices.
Workarounds
Since this vulnerability requires connection to a rogue base station, complete mitigation without patching is difficult. However, the following measures can reduce risk:
Network Security Practices:
- Avoid areas where rogue base stations are suspected
- Use Wi-Fi calling when available in sensitive locations
- Consider devices with additional baseband security features
Enterprise Considerations:
- Deploy rogue base station detection in critical facilities
- Implement network access policies that prefer trusted cellular infrastructure
- Consider supplemental connectivity options for high-security scenarios
Organizations should prioritize applying the official patch as soon as it becomes available from their device manufacturers, as workarounds cannot fully address the underlying vulnerability.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
