What are the most critical MediaTek vulnerabilities patched in September 2025?

The most critical vulnerabilities are CVE-2025-20708 and CVE-2025-20704, both with CVSS scores of 9.8. These are out-of-bounds write vulnerabilities in the modem component that can lead to remote privilege escalation. CVE-2025-20708 can be exploited by attackers operating rogue base stations without user interaction, while CVE-2025-20704 requires user interaction.

How does CVE-2025-20708 work and what makes it dangerous?

CVE-2025-20708 is an out-of-bounds write vulnerability in the modem caused by incorrect bounds checking in buffer validation logic. Attackers operating rogue base stations can exploit this flaw to achieve remote privilege escalation on target devices without requiring any user interaction. It affects over 60 chipset models including MT6833, MT6853, MT6877, MT6899, MT6980, MT8673, MT8791, MT8883, and MT8893.

Which MediaTek chipsets are affected by these vulnerabilities?

The vulnerabilities affect a wide range of MediaTek chipsets from MT2718 to MT8796, including popular models like MT6833, MT6853, MT6877, MT6899, MT6991, MT8673, MT8676, MT8678, MT8791, MT8792, MT8883, and MT8893. Different vulnerabilities affect different chipset combinations, with some impacting over 60 models.

What is CVE-2025-20703 and how does it differ from the critical vulnerabilities?

CVE-2025-20703 (CVSS score 7.5) is an out-of-bounds read vulnerability in the modem component caused by incorrect bounds checking. While it doesn't enable full code execution like the critical flaws, attackers can exploit it to cause remote denial-of-service attacks when user equipment connects to malicious base stations. It affects the same chipsets and modem software versions as CVE-2025-20708.

What are the local privilege escalation vulnerabilities in the MediaTek bulletin?

Three use-after-free vulnerabilities enable local privilege escalation: CVE-2025-20705 (monitor_hang driver), CVE-2025-20706 (mbrain task scheduler), and CVE-2025-20707 (geniezone service). All have CVSS scores of 7.8 and require attackers to already have system-level access to exploit them for further privilege escalation or code execution.

Which operating systems are affected by the MediaTek vulnerabilities?

The vulnerabilities affect multiple operating systems including Android 13.0, 14.0, 15.0, and 16.0 platforms, as well as OpenWRT 19.07/21.02 and Yocto 2.6 embedded systems. Different vulnerabilities target different OS versions and platforms depending on the affected chipset models.

When did MediaTek provide security patches to manufacturers?

MediaTek provided security patches to OEM partners in July 2025, two months before releasing the public security bulletin in September 2025. This gave device manufacturers time to integrate the fixes into their firmware updates before public disclosure.

How can users protect themselves from these MediaTek vulnerabilities?

Device users are advised to apply firmware updates as soon as they become available from their device manufacturers. Users should check for and install security updates regularly, enable automatic updates if available, and avoid connecting to untrusted wireless networks or base stations where possible, especially for the critical modem vulnerabilities.

Can the critical MediaTek modem vulnerabilities be exploited remotely?

Yes, CVE-2025-20708 can be exploited remotely by attackers operating rogue base stations without any user interaction required. CVE-2025-20704 can also lead to remote privilege escalation but requires user interaction. CVE-2025-20703 enables remote denial-of-service attacks. These represent serious threats as they can be exploited over cellular networks.

What are the most critical MediaTek vulnerabilities patched in September 2025?

The most critical vulnerabilities are CVE-2025-20708 and CVE-2025-20704, both with CVSS scores of 9.8. These are out-of-bounds write vulnerabilities in the modem component that can lead to remote privilege escalation. CVE-2025-20708 can be exploited by attackers operating rogue base stations without user interaction, while CVE-2025-20704 requires user interaction.

How does CVE-2025-20708 work and what makes it dangerous?

CVE-2025-20708 is an out-of-bounds write vulnerability in the modem caused by incorrect bounds checking in buffer validation logic. Attackers operating rogue base stations can exploit this flaw to achieve remote privilege escalation on target devices without requiring any user interaction. It affects over 60 chipset models including MT6833, MT6853, MT6877, MT6899, MT6980, MT8673, MT8791, MT8883, and MT8893.

Which MediaTek chipsets are affected by these vulnerabilities?

The vulnerabilities affect a wide range of MediaTek chipsets from MT2718 to MT8796, including popular models like MT6833, MT6853, MT6877, MT6899, MT6991, MT8673, MT8676, MT8678, MT8791, MT8792, MT8883, and MT8893. Different vulnerabilities affect different chipset combinations, with some impacting over 60 models.

What is CVE-2025-20703 and how does it differ from the critical vulnerabilities?

CVE-2025-20703 (CVSS score 7.5) is an out-of-bounds read vulnerability in the modem component caused by incorrect bounds checking. While it doesn't enable full code execution like the critical flaws, attackers can exploit it to cause remote denial-of-service attacks when user equipment connects to malicious base stations. It affects the same chipsets and modem software versions as CVE-2025-20708.

What are the local privilege escalation vulnerabilities in the MediaTek bulletin?

Three use-after-free vulnerabilities enable local privilege escalation: CVE-2025-20705 (monitor_hang driver), CVE-2025-20706 (mbrain task scheduler), and CVE-2025-20707 (geniezone service). All have CVSS scores of 7.8 and require attackers to already have system-level access to exploit them for further privilege escalation or code execution.

Which operating systems are affected by the MediaTek vulnerabilities?

The vulnerabilities affect multiple operating systems including Android 13.0, 14.0, 15.0, and 16.0 platforms, as well as OpenWRT 19.07/21.02 and Yocto 2.6 embedded systems. Different vulnerabilities target different OS versions and platforms depending on the affected chipset models.

When did MediaTek provide security patches to manufacturers?

MediaTek provided security patches to OEM partners in July 2025, two months before releasing the public security bulletin in September 2025. This gave device manufacturers time to integrate the fixes into their firmware updates before public disclosure.

How can users protect themselves from these MediaTek vulnerabilities?

Device users are advised to apply firmware updates as soon as they become available from their device manufacturers. Users should check for and install security updates regularly, enable automatic updates if available, and avoid connecting to untrusted wireless networks or base stations where possible, especially for the critical modem vulnerabilities.

Can the critical MediaTek modem vulnerabilities be exploited remotely?

Yes, CVE-2025-20708 can be exploited remotely by attackers operating rogue base stations without any user interaction required. CVE-2025-20704 can also lead to remote privilege escalation but requires user interaction. CVE-2025-20703 enables remote denial-of-service attacks. These represent serious threats as they can be exploited over cellular networks.

Advisory

MediaTek reports multiple vulnerabilities affecting mobile devices

Q: What vulnerabilities did MediaTek patch in September 2025?

MediaTek released its September 2025 Product Security Bulletin patching six vulnerabilities that affect chipsets powering smartphones, tablets, and IoT devices globally. The vulnerabilities include two critical flaws with CVSS scores of 9.8 and four high-severity issues with CVSS scores of 7.5-7.8.

published: Sept. 1, 2025

Take action: MediaTek has patched their vulnerabilities, but you can't apply the patches directly. You need to wait for your vendor that integrated the MediaTek chips to release an update. Best you can do is be diligent and monitor for an update from your vendor. For IoT implementations, reach out to your vendor for timeline of a patch.

Learn More

MediaTek has released its September 2025 Product Security Bulletin, patching six vulnerabilities that affect chipsets powering smartphones, tablets, and IoT devices globally.

Vulnerabilities summary

CVE-2025-20708 (CVSS score 9.8) - Out-of-bounds write in Modem caused by an incorrect bounds check in the modem's buffer validation logic. Attackers operating rogue base stations can exploit this flaw to achieve remote privilege escalation on target devices without requiring any user interaction. The vulnerability affects over 60 chipset models including MT6833, MT6853, MT6877, MT6899, MT6980, MT8673, MT8791, MT8883, and MT8893, running Modem NR15, NR16, NR17, and NR17R software versions.
CVE-2025-20704 (CVSS score 9.8) - Out-of-bounds write in Modem caused due to a missing bounds check in the modem firmware and can lead to remote privilege escalation. Unlike the previous two flaws, this vulnerability requires user interaction for successful exploitation. It affects a MT6813, MT6835, MT6835T, MT6878, MT6878M, MT6897, MT6899, MT6991, MT8676, MT8678, MT8792, MT8863, MT8873, and MT8883, specifically targeting Modem NR17 and NR17R versions.
CVE-2025-20703 (CVSS score 7.5) - Out-of-bounds read in Modem: Similar to CVE-2025-20708, this vulnerability is caused by an incorrect bounds check in the modem component. While it does not enable full code execution, attackers can exploit this flaw to cause remote denial-of-service attacks when user equipment connects to malicious base stations. The vulnerability affects the same chipsets and modem software versions as CVE-2025-20708.
CVE-2025-20705 (CVSS score 7.8) - Use after free in monitor_hang caused by the monitor_hang driver and could enable local privilege escalation if a malicious actor has already obtained system privileges. The flaw affects MT2718 to MT8796 across Android 13.0, 14.0, 15.0, and 16.0 platforms, as well as OpenWRT 19.07/21.02 and Yocto 2.6 embedded systems.
CVE-2025-20706 (CVSS score 7.8) - Use after free in mbrain impacts the mbrain task scheduler component and could lead to local code execution for attackers with system-level access. It affects MT6899, MT6989, MT6991, MT8676, and MT8678 running Android 14.0 and 15.0.
CVE-2025-20707 (CVSS score 7.8) - Use after free in geniezone caused by the geniezone service and can result in memory corruption under local privilege conditions. It affects MT2718, MT6853, MT6877, MT6893, MT6899, MT6991, MT8196, MT8676, MT8678, MT8775, MT8786, MT8788E, MT8791T, MT8792, MT8796, MT8883, and MT8893 across Android 13.0, 14.0, and 15.0.

MediaTek has provided security patches to OEM partners in July 2025. Device users are advised to apply firmware updates as soon as they become available from their device manufacturers.

MediaTek reports multiple vulnerabilities affecting mobile devices