Cybersecurity Vulnerabilities

CVE-2025-20758: Critical Remote Denial of Service Vulnerability Found in MediaTek Modems

December 2, 2025 - By 

Overview

CVE-2025-20758 is a newly discovered vulnerability affecting MediaTek modem firmware. This vulnerability allows a remote attacker to cause a system crash, leading to a denial-of-service (DoS) condition. The vulnerability is triggered by an uncaught exception within the modem’s software. Exploitation is possible without user interaction and requires no elevated privileges, posing a significant risk to affected devices.

Technical Details

The root cause of CVE-2025-20758 lies in the modem firmware’s handling of specific network conditions. Specifically, an uncaught exception can occur when a User Equipment (UE) connects to a rogue or malicious base station controlled by an attacker. The vulnerability (Issue ID: MSV-4647) triggers when malformed data or unexpected commands are sent to the modem, leading to the exception and subsequent system crash.

The patch for this vulnerability is identified as MOLY01673755.

CVSS Analysis

Currently, a CVSS score is not available for CVE-2025-20758. However, considering the remote exploitability, lack of required privileges, and the potential for denial of service, the vulnerability is likely to be classified as high or critical severity once a CVSS score is assigned.

Possible Impact

The successful exploitation of CVE-2025-20758 can result in the following:

  • Denial of Service (DoS): The most immediate impact is a system crash, rendering the device unusable.
  • Interrupted Connectivity: Devices relying on the vulnerable modem for cellular connectivity will lose network access.
  • Battery Drain: Repeated crashes and reboots could lead to increased battery consumption.

Mitigation and Patch Steps

The primary mitigation strategy is to apply the provided patch (MOLY01673755) as soon as possible. Contact your device manufacturer or carrier for information on when the patch will be available for your specific device. End users should ensure their devices are updated with the latest security patches when they become available. For device manufacturers, apply the provided fix from MediaTek to prevent exploitation.

References

MediaTek Product Security Bulletin – December 2025

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *