MediaTek, a leading semiconductor company, has issued a critical security bulletin addressing several vulnerabilities across its modem chipsets. Device manufacturers are urged to implement these updates promptly to safeguard user devices.
Overview of the Security Bulletin
The bulletin, released two months after notifying original equipment manufacturers (OEMs), confirms that no known exploits have been detected in the wild. Key points include:
1. Comprehensive Patching: MediaTek has addressed both high- and medium-severity vulnerabilities affecting over 60 chipset models.
2. OEM Notifications: Fixes were distributed to OEMs in July, with recommendations to update Modem NR and Board Support Package (BSP) components immediately.
3. No Detected Exploits: As of the bulletin’s release, there have been no reports of these vulnerabilities being exploited.
High-Severity Vulnerabilities
The bulletin highlights three critical vulnerabilities within the modem firmware:
– CVE-2025-20708: This out-of-bounds write flaw (CWE-787) in the modem’s buffer validation logic allows remote privilege escalation when a device connects to a malicious base station. No user interaction is required. Affected chipsets include MT6813, MT6833, MT6855, MT8873, MT8893, and over 60 others running Modem NR15–NR17R software versions.
– CVE-2025-20703: An out-of-bounds read vulnerability (CWE-125) in the modem component can lead to remote denial-of-service attacks under similar conditions, without user interaction. Impacted chipsets include MT2735, MT6789, MT6893, MT8678, MT8791T, MT8883, among others, all on NR15–NR17R releases.
– CVE-2025-20704: Another out-of-bounds write issue (CWE-787) due to a missing bounds check can result in remote privilege escalation, though user interaction is necessary for exploitation. This flaw affects chipsets such as MT6835T, MT6899, MT6991, MT8676, MT8792, and several others running Modem NR17 and NR17R builds.
Medium-Severity Vulnerabilities
Additionally, three medium-severity use-after-free vulnerabilities (CWE-416) have been identified:
– CVE-2025-20705 (monitor_hang uaf): This flaw could enable local privilege escalation for attackers with existing system privileges. Affected chipsets range from MT2718 to MT8796 across Android 13–16, OpenWRT 19.07/21.02, and Yocto 2.6 releases.
– CVE-2025-20706 (mbrain uaf): Memory corruption in the mbrain task scheduler on chipsets like MT6899, MT6989, MT6991, MT8676, and MT8678 running Android 14–15 may lead to local code execution.
– CVE-2025-20707 (geniezone uaf): A flaw in the geniezone service can result in memory corruption under local privilege conditions on chipsets including MT2718, MT6853, MT8792, MT8883, and others across Android 13–15.
Summary of Vulnerabilities
| CVE ID | Title | Severity |
|——————|————————————-|———-|
| CVE-2025-20708 | Out-of-bounds write in Modem | High |
| CVE-2025-20703 | Out-of-bounds read in Modem | High |
| CVE-2025-20704 | Out-of-bounds write in Modem | High |
| CVE-2025-20705 | Use after free in monitor_hang | Medium |
| CVE-2025-20706 | Use after free in mbrain | Medium |
| CVE-2025-20707 | Use after free in geniezone | Medium |
Discovery and Mitigation
All vulnerabilities, except CVE-2025-20704, were discovered through external security research. CVE-2025-20704 was identified by MediaTek’s internal validation teams. OEM partners received patches in July, and firmware updates incorporating these fixes are being rolled out. MediaTek advises integrators to upgrade Modem NR and Android BSP versions to mitigate potential risks.
Implications for Users and Manufacturers
These vulnerabilities underscore the importance of timely software updates. Device manufacturers should prioritize integrating these patches to protect users from potential exploits. End-users are encouraged to regularly check for and install firmware updates to ensure their devices remain secure.
Conclusion
MediaTek’s proactive approach in addressing these vulnerabilities highlights the company’s commitment to device security. By collaborating with OEMs and providing timely updates, MediaTek aims to maintain the integrity and safety of devices powered by its chipsets.
