
MediaTek today released an important security announcement addressing multiple vulnerabilities in its latest modem chipsets and urged device manufacturers to deploy updates immediately. This announcement comes two months after confidential notifications were sent to manufacturers, confirming that no exploitation of these vulnerabilities has been observed in the wild.Part01
Key Points
- MediaTek has patched high and medium severity vulnerabilities in over 60 chipsets related to modem and firmware.
- Manufacturers received the patch in July and need to update Modem NR and BSP immediately.
- No exploitation of the vulnerabilities has been detected so far.
Part02
High-Risk Buffer Overflow Vulnerabilities
Three high-risk vulnerabilities (CVSS v3.1 scores) affect the modem firmware of several MediaTek chipsets:CVE-2025-20708:A buffer overflow vulnerability in the modem’s buffer validation logic (CWE-787) that may lead to remote privilege escalation when a user equipment (UE) connects to a malicious base station. This vulnerability can be triggered without user interaction. Affected chipsets include MT6813, MT6833, MT6855, MT8873, MT8893, and over 60 models running Modem NR15-NR17R software versions.CVE-2025-20703:A buffer read vulnerability (CWE-125) in the same modem component that may lead to remote denial of service under similar conditions, also without user interaction. Affected chipsets include MT2735, MT6789, MT6893, MT8678, MT8791T, MT8883, all running NR15-NR17R versions.CVE-2025-20704:A second buffer overflow vulnerability (CWE-787) due to a lack of boundary checks that may also lead to remote privilege escalation, but exploitation of this vulnerability requires user interaction. This vulnerability affects over ten chipsets including MT6835T, MT6899, MT6991, MT8676, MT8792, all running Modem NR17 and NR17R versions.Part03
Medium Severity Memory Corruption Vulnerabilities
There are three medium severity use-after-free vulnerabilities (CWE-416) in the firmware modules monitor_hang, mbrain, and geniezone:CVE-2025-20705 (“monitor_hang uaf”):The use-after-free error may allow an attacker with system privileges to achieve local privilege escalation. The affected range includes multiple chipsets from MT2718 to MT8796, involving Android versions 13-16, OpenWRT 19.07/21.02, and Yocto 2.6 versions.CVE-2025-20706 (“mbrain uaf”):A similar memory corruption issue in the mbrain task scheduler of chipsets MT6899, MT6989, MT6991, MT8676, and MT8678 that may lead to local code execution when running Android versions 14-15.CVE-2025-20707 (“geniezone uaf”):A vulnerability in the geniezone service may lead to memory corruption under local privilege conditions for models MT2718, MT6853, MT8792, MT8883 running Android versions 13-15.
Except for CVE-2025-20704, which was discovered by an internal validation team, the other vulnerabilities were disclosed through external security research.Part04
Scope of Affected Products and Repair Recommendations
These vulnerabilities affect a wide range of MediaTek chipsets, from the MT27xx and MT67xx mobile platforms to newer models MT68xx, MT69xx, and MT87xx used in smartphones, tablets, and IoT devices. Affected software versions include Modem NR15–NR17R and Android versions 13.0 to 16.0, as well as openWRT and Yocto distributions.MediaTek has confirmed that it notified device manufacturers in advance: “At least two months before the announcement, we informed all OEM manufacturers of the issues and corresponding security patches.” Security updates have been distributed to vendors, and end users are advised to install the latest firmware or operating system updates provided by device manufacturers.
References:
MediaTek Security Update – Patch for Multiple Vulnerabilities Across Chipsets
https://cybersecuritynews.com/mediatek-security-update/Recommended Reading
