CVE-2025-20794 is a stack overflow vulnerability classified under CWE-121 found in the modem firmware of a wide array of MediaTek chipsets, including models MT2735 through MT8893. The vulnerability stems from improper input validation within the modem component, which can be exploited by an attacker controlling a rogue base station. When a user equipment (UE) device connects to such a malicious base station, specially crafted inputs can trigger a stack overflow, leading to a system crash and resulting in a denial of service condition. Notably, exploitation does not require any user interaction or elevated privileges, making it easier for attackers to execute remotely. The affected modem firmware versions include NR15, NR16, NR17, and NR17R. Although no public exploits have been observed, the vulnerability's nature and the extensive list of affected chipsets pose a considerable threat. The issue was reserved in November 2024 and published in January 2026, with patches identified as MOLY01689259 and MOLY01586470. The vulnerability impacts the availability of devices using these modems, potentially disrupting communications and services dependent on them. This is particularly critical for mobile network operators, IoT deployments, and any infrastructure relying on MediaTek modems. The lack of a CVSS score necessitates a severity assessment based on impact and exploitability factors.

For European organizations, the primary impact of CVE-2025-20794 is the potential for remote denial of service on devices using affected MediaTek modems. This could disrupt mobile communications, IoT device functionality, and critical infrastructure relying on cellular connectivity. Telecommunications providers may experience network instability or service outages if large numbers of devices are affected simultaneously. Enterprises deploying IoT solutions with these chipsets could see operational interruptions, affecting manufacturing, logistics, or smart city applications. The vulnerability could also be leveraged to degrade service availability in targeted attacks, impacting sectors such as finance, healthcare, and emergency services that depend on reliable mobile connectivity. Since exploitation requires connection to a rogue base station, attackers with the capability to deploy such infrastructure could selectively disrupt communications in specific geographic areas. This raises concerns for public safety and national security, especially in countries with advanced 5G deployments and dense urban populations. The broad chipset coverage means many consumer and industrial devices are at risk, amplifying the potential scale of impact across Europe.

European organizations should prioritize the following mitigations: 1) Coordinate with device manufacturers and mobile network operators to ensure timely deployment of patches MOLY01689259 and MOLY01586470 to affected devices and modems. 2) Implement network-level detection and prevention mechanisms to identify and block rogue base stations, including the use of IMSI catchers detection tools and anomaly-based monitoring. 3) Enforce strict base station authentication and integrity checks within mobile networks to reduce the risk of rogue station connections. 4) For IoT deployments, segment networks and apply strict access controls to limit exposure of vulnerable devices. 5) Educate security teams about the threat vector involving rogue base stations and monitor for unusual device behavior or connectivity issues. 6) Collaborate with telecom regulators and industry groups to share threat intelligence and coordinate responses. 7) Consider deploying endpoint security solutions capable of detecting modem firmware anomalies or crashes. 8) Maintain an inventory of devices using affected MediaTek chipsets to assess exposure and prioritize remediation. These steps go beyond generic patching by addressing the unique exploitation vector involving rogue base stations and enhancing overall network resilience.