CVE-2025-20725 is a critical vulnerability classified as an out-of-bounds write (CWE-787) found in the IMS (IP Multimedia Subsystem) service of a wide range of MediaTek chipsets spanning from MT2735 to MT8893 series. The root cause is a missing bounds check in the IMS service code, which allows an attacker who controls a rogue base station to perform a remote escalation of privilege on a connected user equipment (UE) device. This vulnerability does not require any additional execution privileges or user interaction, making it highly exploitable in real-world scenarios where attackers can deploy malicious base stations. The affected modem firmware versions include LR12A, NR15, and NR16. The vulnerability could allow attackers to write outside the intended memory bounds, potentially leading to arbitrary code execution, system instability, or compromise of sensitive data on the device. Although no known exploits have been reported in the wild, the broad range of affected chipsets and the critical nature of the IMS service—which handles voice, video, and messaging over IP—make this a significant threat. The issue was reserved in November 2024 and published in November 2025, with MediaTek identifying the patch under ID MOLY01671924 and issue MSV-4620. The vulnerability impacts the confidentiality, integrity, and availability of affected devices and can be leveraged remotely without user interaction, increasing its risk profile.

For European organizations, this vulnerability poses a serious risk to mobile devices and telecommunications infrastructure that rely on MediaTek chipsets. The IMS service is integral to voice, video, and messaging services over IP networks, so exploitation could lead to unauthorized privilege escalation, device compromise, and interception or manipulation of communications. This could affect enterprise mobile devices, IoT devices, and network equipment using these chipsets, potentially leading to data breaches, espionage, or disruption of critical communications. The ability to exploit the vulnerability remotely via a rogue base station means attackers could target devices in public or corporate environments without physical access. This is particularly concerning for sectors such as government, finance, healthcare, and critical infrastructure in Europe, where secure communications are essential. The lack of user interaction required for exploitation increases the likelihood of successful attacks. Additionally, compromised devices could be used as footholds for lateral movement within corporate networks or for launching further attacks.

1. Immediate deployment of the official MediaTek patch (MOLY01671924) for affected modem firmware versions LR12A, NR15, and NR16 is critical. 2. Network operators and enterprises should implement detection and mitigation mechanisms for rogue base stations, including monitoring for anomalous base station behavior and unauthorized cell towers. 3. Enhance UE base station authentication and validation processes to prevent connections to untrusted or malicious base stations. 4. Employ mobile device management (MDM) solutions to enforce timely firmware updates and monitor device integrity. 5. Educate users and administrators about the risks of connecting to unknown or suspicious cellular networks, especially in public or high-risk areas. 6. Collaborate with telecom providers to ensure network-level protections and rapid incident response capabilities. 7. Conduct regular security audits and penetration testing focused on mobile device and network infrastructure vulnerabilities related to IMS and base station interactions.