MediaTek, a leading semiconductor company, has issued a critical security update to address multiple vulnerabilities in its chipsets, including a severe flaw that could allow attackers to execute malicious code remotely without user interaction. This update is crucial for a wide range of devices, including smartphones, tablets, IoT devices, smart displays, and various multimedia equipment.
Critical Vulnerability Details
The primary focus of this security update is CVE-2025-20654, a critical vulnerability found in the WLAN service component of several MediaTek chipsets. This flaw arises from an out-of-bounds write issue due to improper bounds checking, classified under CWE-787 (Out-of-bounds Write). Exploitation of this vulnerability could enable remote code execution without requiring additional execution privileges or user interaction.
The affected chipsets include:
– MT6890
– MT7622
– MT7915
– MT7916
– MT7981
– MT7986
The impacted software versions are:
– SDK version 7.4.0.1 for MT7622 and MT7915 chipsets
– SDK version 7.6.7.0 for MT7916, MT7981, and MT7986 chipsets
– OpenWrt versions 19.07 and 21.02 for the MT6890 chipset
Additional Security Concerns
In addition to CVE-2025-20654, the security bulletin addresses several high-severity vulnerabilities:
– CVE-2025-20655: An out-of-bounds write in the vdec component, potentially leading to local privilege escalation.
– CVE-2025-20656: An out-of-bounds write in the wlan driver, which could allow remote code execution without user interaction.
– CVE-2025-20657: An out-of-bounds read in the vdec component, possibly resulting in local information disclosure.
– CVE-2025-20658: An out-of-bounds read in the Telephony component, which could lead to remote denial of service.
Additionally, six medium-severity flaws (CVE-2025-20659 through CVE-2025-20664) have been identified and patched.
Mitigation
Manufacturers using affected MediaTek chipsets are strongly advised to review the complete Product Security Bulletin and implement the recommended patches immediately. End-users should ensure their devices are running the latest firmware versions by checking for and installing available updates.
Broader Implications
MediaTek’s chipsets power a significant portion of global smartphones and IoT devices. Unpatched vulnerabilities in these devices could lead to severe consequences, including unauthorized access, data breaches, and disruption of services. The company’s proactive approach in releasing timely security updates underscores the importance of maintaining the integrity and security of its technology ecosystem.
This security update exemplifies MediaTek’s ongoing commitment to protecting millions of devices and their users worldwide from potential exploitation.
