CVE-2025-20794 Overview
CVE-2025-20794 is a stack-based buffer overflow vulnerability (CWE-121) in MediaTek modem components that allows remote attackers to cause a denial of service condition through improper input validation. The vulnerability exists in the modem firmware across a wide range of MediaTek chipsets used in smartphones, tablets, and IoT devices.
When a User Equipment (UE) connects to a rogue base station controlled by an attacker, specially crafted data can trigger a system crash. This attack requires no additional execution privileges on the target device and does not require any user interaction, making it particularly dangerous in scenarios where attackers can deploy malicious cellular infrastructure.
Critical Impact
Remote denial of service affecting devices with MediaTek modems when connected to attacker-controlled base stations. No user interaction required for exploitation.
Affected Products
- MediaTek NR15, NR16, NR17, NR17R (5G NR Modem Firmware)
- MediaTek MT67xx series chipsets (MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899)
- MediaTek MT69xx series chipsets (MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993)
- MediaTek MT2735, MT2737 (Modem ICs)
- MediaTek MT87xx series chipsets (MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893)
Discovery Timeline
- January 6, 2026 - CVE-2025-20794 published to NVD
- January 8, 2026 - Last updated in NVD database
Technical Details for CVE-2025-20794
Vulnerability Analysis
This vulnerability stems from improper input validation within the MediaTek modem firmware. The modem component fails to properly validate data received from cellular base stations before processing it, leading to a stack-based buffer overflow condition (CWE-121). When a device connects to a malicious base station, the attacker can send crafted signaling data that overflows stack buffers in the modem's processing routines.
The attack is network-based and can be executed remotely without requiring any privileges on the target device. The exploitation does not require user interaction, meaning the attack can succeed automatically when a vulnerable device enters the range of a rogue base station. While the vulnerability does not allow for code execution or data theft, it causes complete system crashes, disrupting device availability.
Root Cause
The root cause is a CWE-121 (Stack-based Buffer Overflow) vulnerability in the modem firmware's input handling routines. The modem does not perform adequate bounds checking on incoming data from base station communications, allowing oversized or malformed input to overflow stack-allocated buffers. This leads to corruption of stack memory and subsequent system crashes.
Attack Vector
The attack vector leverages rogue base station infrastructure. An attacker deploys a malicious cellular base station (also known as a "fake cell tower" or IMSI catcher) within range of target devices. When vulnerable MediaTek-powered devices connect to the rogue station—either through forced handover attacks or by presenting a stronger signal than legitimate towers—the attacker sends specially crafted signaling messages that exploit the improper input validation flaw.
The attack chain proceeds as follows:
- Attacker deploys a rogue base station in a target area
- Vulnerable devices within range may connect to the rogue station
- The attacker sends malformed modem signaling data to connected devices
- Insufficient validation causes stack buffer overflow in the modem firmware
- The affected device experiences a system crash, resulting in denial of service
No proof-of-concept exploit code is currently publicly available. The vulnerability is identified by Patch IDs MOLY01689259 and MOLY01586470, and tracked internally by MediaTek as Issue ID MSV-4847.
Detection Methods for CVE-2025-20794
Indicators of Compromise
- Unexpected device reboots or crashes, particularly when in areas with potentially malicious cellular coverage
- Modem crash logs indicating stack corruption or buffer overflow conditions
- Unusual cellular connectivity behavior including forced network handovers
- System logs showing repeated modem subsystem failures
Detection Strategies
- Monitor device stability metrics for patterns of unexplained crashes that correlate with geographic locations
- Implement cellular network monitoring to detect rogue base stations in enterprise environments
- Deploy SentinelOne agents to detect anomalous system behavior and correlate crash events across managed devices
- Review modem firmware versions across fleet to identify devices running vulnerable versions
Monitoring Recommendations
- Enable verbose modem logging on enterprise-managed devices to capture crash telemetry
- Implement centralized crash reporting to identify patterns indicative of targeted attacks
- Monitor for unusual cellular network behavior using enterprise mobility management (EMM) solutions
- Deploy network security solutions capable of detecting rogue base station activity in sensitive areas
How to Mitigate CVE-2025-20794
Immediate Actions Required
- Apply firmware updates from device OEMs that incorporate MediaTek's security patches (MOLY01689259 / MOLY01586470)
- Review the MediaTek Security Bulletin January 2026 for detailed patch information
- Prioritize updates for devices used in sensitive environments or high-value target scenarios
- Consider restricting devices to trusted cellular networks where possible in high-security environments
Patch Information
MediaTek has released security patches addressing this vulnerability as documented in the MediaTek Security Bulletin January 2026. The patches are identified as:
- Patch ID: MOLY01689259
- Patch ID: MOLY01586470
- Issue ID: MSV-4847
Device manufacturers using affected MediaTek chipsets must integrate these patches into their firmware updates. End users should apply all available system updates from their device OEMs to receive the fix.
Workarounds
- No complete workaround is available as the vulnerability exists in modem firmware
- In high-security environments, consider using cellular signal detection equipment to identify rogue base stations
- Enable airplane mode when in untrusted or high-risk areas to prevent cellular connectivity
- Use enterprise mobility management to enforce timely security updates across managed device fleets
- Consider deploying devices with alternative chipsets in critical infrastructure scenarios until patches are applied
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
