%20(1).webp?w=1920&resize=1920,0&ssl=1 "Vital MediaTek Flaws Permit Hackers to Achieve Elevated Entry with No Consumer Enter")
MediaTek has revealed its newest Product Safety Bulletin, revealing a number of safety vulnerabilities affecting a variety of its chipsets utilized in smartphones, tablets, AIoT gadgets, sensible shows, sensible platforms, OTT gadgets, pc imaginative and prescient methods, audio tools, and TVs.
Machine OEMs had been notified of those points and supplied with corresponding safety patches at the very least two months earlier than the general public disclosure, consistent with business greatest practices.
Severity Evaluation and Technical Overview
The evaluation of those vulnerabilities was carried out utilizing the Frequent Vulnerability Scoring System model 3.1 (CVSS v3.1), which is extensively adopted for evaluating the severity of software program vulnerabilities.
The bulletin identifies one high-severity vulnerability (CVE-2025-20672) and 6 medium-severity vulnerabilities (CVE-2025-20673 by means of CVE-2025-20678).
The vulnerabilities span a number of technical classes, together with:
- Elevation of Privilege (EoP): Permits attackers to realize unauthorized entry or privileges.
- Denial of Service (DoS): Allows attackers to disrupt regular functioning, resulting in system crashes.
- CWE-122 Heap Overflow: A important concern the place improper bounds checking permits writing outdoors the allotted reminiscence, doubtlessly resulting in privilege escalation.
- CWE-476 NULL Pointer Dereference: Happens when a program makes an attempt to make use of a null pointer, resulting in crashes or denial of service.
- CWE-863 Incorrect Authorization: Entails lacking permission checks, doubtlessly permitting unauthorized actions.
- CWE-674 Uncontrolled Recursion: Extreme recursive calls may cause stack overflows and repair disruptions.
Detailed Vulnerability Breakdown
The next desk summarizes the reported vulnerabilities, their technical nature, and affected chipsets:
| CVE | Title | Severity | Vulnerability Kind | CWE Code | Affected Chipsets | Affected Software program Variations |
|---|---|---|---|---|---|---|
| CVE-2025-20672 | Heap overflow in Bluetooth | Excessive | EoP | CWE-122 | MT7902, MT7921, MT7922, MT7925, MT7927 | NB SDK launch 3.6 and earlier than |
| CVE-2025-20673 | Null pointer dereference in wlan | Medium | DoS | CWE-476 | MT7902, MT7921, MT7922, MT7925, MT7927 | NB SDK launch 3.6 and earlier than |
| CVE-2025-20674 | Incorrect authorization in wlan | Medium | EoP | CWE-863 | MT6890, MT6990, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993 | SDK launch 7.6.7.2 and earlier than / OpenWrt 19.07, 21.02 (MT6890) / OpenWrt 21.02, 23.05 (MT6990) |
| CVE-2025-20675 | Null pointer dereference in wlan | Medium | DoS | CWE-476 | MT7902, MT7921, MT7922, MT7925, MT7927 | NB SDK launch 3.6 and earlier than |
| CVE-2025-20676 | Null pointer dereference in wlan | Medium | DoS | CWE-476 | MT7902, MT7921, MT7922, MT7925, MT7927 | NB SDK launch 3.6 and earlier than |
| CVE-2025-20677 | Null pointer dereference in Bluetooth | Medium | DoS | CWE-476 | MT7902, MT7921, MT7922, MT7925, MT7927 | NB SDK launch 3.6 and earlier than |
| CVE-2025-20678 | Uncontrolled recursion in ims service | Medium | DoS | CWE-674 | In depth listing (e.g., MT6739, MT6761, MT6890, MT6990, and so forth.) | Modem LR12A, LR13, NR15, NR16, NR17, NR17R |
Response and Business Impression
MediaTek has proactively engaged with machine producers, making certain that patches can be found forward of public disclosure.
The corporate emphasizes that the listing of affected chipsets will not be exhaustive and encourages OEMs to contact their MediaTek consultant for additional clarification.
For customers and enterprises, the well timed software of safety updates stays important. MediaTek additionally invitations researchers and stakeholders to report any further vulnerabilities by means of its official channels.
Key Technical Phrases:
- CVE (Frequent Vulnerabilities and Exposures): Distinctive identifiers for publicly recognized cybersecurity vulnerabilities.
- CWE (Frequent Weak spot Enumeration): Standardized classes for software program weaknesses.
- EoP, DoS, RCE: Abbreviations for Elevation of Privilege, Denial of Service, and Distant Code Execution, respectively.
MediaTek’s bulletin underscores the continued want for vigilance within the quickly evolving panorama of embedded and linked machine safety.
Discover this Information Attention-grabbing! Observe us on Google Information, LinkedIn, & X to Get Immediate Updates!
