CVE-2025-20704 is a vulnerability classified under CWE-787 (Out-of-bounds Write) affecting multiple MediaTek modem chipsets including MT6813, MT6835, MT6878, MT6897, MT6991, MT8676, MT8792, MT8863, MT8873, and MT8883. The root cause is a missing bounds check in the modem firmware, specifically in the NR17 and NR17R versions, which leads to an out-of-bounds write condition. This flaw can be exploited remotely by an attacker who controls a rogue base station to which a user equipment (UE) is connected. The attack vector requires user interaction, such as the UE connecting to the malicious base station, but does not require any prior execution privileges on the device. Successful exploitation can result in remote escalation of privileges, potentially allowing the attacker to compromise the confidentiality, integrity, and availability of the device’s modem functions. The CVSS v3.1 base score is 8.0, reflecting high severity with attack vector as adjacent network, low attack complexity, no privileges required, user interaction required, and high impact on confidentiality, integrity, and availability. No known exploits have been reported in the wild yet. MediaTek has assigned patch ID MOLY01516959 to address this issue. The vulnerability poses a significant risk to mobile devices using the affected chipsets, especially in environments where rogue base stations can be deployed or encountered.

The vulnerability can lead to remote escalation of privilege on affected mobile devices, potentially allowing attackers to execute arbitrary code or disrupt modem operations. This compromises the confidentiality and integrity of communications and may cause denial of service, impacting device availability. Organizations relying on mobile devices with these MediaTek chipsets, including enterprises with mobile workforces and telecom operators, face risks of data breaches, service disruption, and unauthorized access. The attack requires user interaction but no prior privileges, increasing the attack surface. Rogue base stations could be deployed in targeted attacks or in hostile environments, enabling attackers to exploit this flaw to intercept or manipulate mobile communications. This could affect critical infrastructure, government agencies, and businesses relying on secure mobile connectivity.

Organizations should promptly apply the patch identified as MOLY01516959 provided by MediaTek to affected devices running modem versions NR17 and NR17R. Network operators should monitor for and mitigate rogue base stations using radio frequency monitoring tools and anomaly detection systems. Mobile device management (MDM) solutions can enforce firmware updates and restrict connections to untrusted base stations. Security teams should educate users about the risks of connecting to unknown or suspicious cellular networks to reduce user interaction exploitation vectors. Implementing network-level protections such as mutual authentication protocols and enhanced base station verification can reduce exposure. Regular vulnerability scanning and threat intelligence updates related to MediaTek chipsets should be integrated into security operations. Collaboration with device manufacturers and telecom providers is essential to ensure timely patch deployment and incident response readiness.