CVE-2025-20725 is a critical vulnerability classified under CWE-787 (Out-of-bounds Write) affecting the IMS (IP Multimedia Subsystem) service in a broad range of MediaTek modem chipsets, including but not limited to MT2735, MT6761, MT6762, MT6769, MT6771, MT6853, MT6980, MT8788, and many others. The flaw results from a missing bounds check in the IMS service code, which allows an attacker to perform an out-of-bounds write operation. This memory corruption can lead to remote escalation of privilege on the device. The attack vector involves a user equipment (UE) connecting to a rogue base station controlled by the attacker. Notably, exploitation does not require any user interaction or elevated privileges on the device, making it easier to exploit remotely. The vulnerability affects modem firmware versions LR12A, NR15, and NR16. The CVSS v3.1 base score is 7.5, indicating high severity, with attack vector network (AV:N), attack complexity high (AC:H), privileges required low (PR:L), no user interaction (UI:N), and impacts on confidentiality, integrity, and availability all rated high. MediaTek has assigned patch ID MOLY01671924 to fix this issue. Although no known exploits are currently reported in the wild, the vulnerability's characteristics pose a significant risk to mobile devices using these chipsets, potentially allowing attackers to gain unauthorized control or disrupt device functionality remotely.

The vulnerability allows remote attackers to escalate privileges on affected devices by exploiting a rogue base station, potentially compromising the confidentiality, integrity, and availability of the device. This could lead to unauthorized access to sensitive user data, interception or manipulation of communications, installation of persistent malware, or denial of service conditions. Given the widespread use of MediaTek chipsets in smartphones and IoT devices globally, the impact can be extensive, affecting both individual users and enterprise environments relying on mobile connectivity. The lack of required user interaction and low privilege requirements lower the barrier for exploitation, increasing the threat level. Organizations could face data breaches, service disruptions, and increased risk of targeted attacks leveraging this vulnerability. The broad range of affected chipset models means many device manufacturers and carriers must coordinate patch deployment, complicating mitigation efforts.

1. Immediately apply the official patch MOLY01671924 provided by MediaTek to all affected modem firmware versions (LR12A, NR15, NR16). 2. Device manufacturers and carriers should prioritize firmware updates and coordinate rapid deployment to end users. 3. Implement network-level protections to detect and block rogue base stations, such as enhanced base station authentication and anomaly detection systems. 4. Employ mobile threat defense solutions capable of identifying suspicious network behavior indicative of rogue base station attacks. 5. Educate users and administrators about the risks of connecting to untrusted cellular networks, especially in high-risk environments. 6. Monitor device logs and network traffic for signs of exploitation attempts or unusual IMS service behavior. 7. For critical infrastructure relying on affected devices, consider temporary network segmentation or alternative communication channels until patches are applied. 8. Collaborate with telecom providers to enhance detection and mitigation of rogue base stations in their networks.