MediaTek has today published its September 2025 Product Security Bulletin, detailing critical vulnerabilities discovered in a range of its chipsets and associated modem firmware.
The company confirms that all affected device OEMs received security patches at least two months before this public disclosure and emphasizes that there is currently no evidence of these flaws being exploited in the wild.
Overview of Vulnerabilities
The bulletin classifies seven vulnerabilities across high and medium severity levels, as determined by the Common Vulnerability Scoring System version 3.1 (CVSS v3.1).
Three issues carry a High severity rating:
- CVE-2025-20708: Out-of-bounds write in Modem (CWE-787)
- CVE-2025-20703: Out-of-bounds read in Modem (CWE-125)
- CVE-2025-20704: Out-of-bounds write in Modem (CWE-787)
An additional three issues are rated Medium severity:
- CVE-2025-20705: Use after free in monitor_hang (CWE-416)
- CVE-2025-20706: Use after free in mbrain (CWE-416)
- CVE-2025-20707: Use after free in geniezone (CWE-416)
The high-severity flaws enable remote privilege escalation or denial-of-service when a user equipment (UE) attaches to a malicious base station.
No user interaction is required for CVE-2025-20708 or CVE-2025-20703 exploits; CVE-2025-20704 does require user-triggered network reconnection.
The Medium severity issues involve local privilege escalation paths after an attacker has already obtained system-level access.
Technical Details and Affected Chipsets
CVE-2025-20708 and CVE-2025-20703 both stem from incorrect bounds checks in the Modem firmware (versions NR15, NR16, NR17, NR17R) that allow out-of-bounds memory access.
Affected chipsets include MT2735, MT2737, MT6813, through to newer platforms such as MT6991, MT8676, and MT8883.
CVE-2025-20704 arises from a missing bounds check in NR17/NR17R firmware on a subset of chipsets, including MT6835, MT6878, MT6899, and MT8678.
Exploitation requires UE reconnection to a rogue station.
The Medium severity CWEs (Use After Free) occur in distinct modules:
monitor_hangon Android 13–16 and embedded Linux (openWRT 19.07/21.02, Yocto 2.6) across chipsets MT2718–MT8796.mbrainon Android 14/15 for MT6899, MT6989, MT6991, MT8676, MT8678.geniezoneon Android 13–15 impacting MT2718, MT6853, MT6877, MT6899, MT8893, among others.
Each CVE entry specifies the CWE identifier, full description, affected chipset list, firmware or OS versions, and whether the report source was external or internal.
Mitigation and Recommendations
MediaTek has provided patches addressing each CWE root cause.
Device OEMs should ensure that firmware images include updated Modem binaries NR15-NR17R with enforced bounds checks, and all memory-management routines for monitor_hang, mbrain, and geniezone Modules are updated to prevent use-after-free.
OEMs must:
- Integrate Patches: Merge security patches into stable release branches and QA-validate on each affected chipset.
- Firmware Update Rollout: Distribute OTA updates or service-center-level firmware installations to end devices.
- Security Testing: Conduct fuzz testing against bounds violations (CWE-125, 787) and perform heap/use-after-free static analysis for CWE-416 vectors.
- Monitor and Report: Track any anomaly logs indicative of rogue base-station interactions or memory-corruption crashes.
For further information or to report new vulnerabilities, OEM security teams should contact their designated MediaTek security liaison or visit the MediaTek Security Contact portal.
Continuous collaboration between chipset vendors and device manufacturers remains critical to safeguarding the mobile ecosystem.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The company confirms that all affected device OEMs received security patches at least two months before this public disclosure){kind=link}