MediaTek has unveiled its March 2025 Product Security Bulletin, detailing a series of newly identified security vulnerabilities that affect a broad range of its chipsets – spanning smartphones, tablets, AIoT devices, smart displays, OTT hardware, computer vision platforms, audio systems, and smart televisions.
The bulletin details 10 vulnerabilities, with three rated as high severity and the rest as medium. The high-severity vulnerabilities could allow attackers to cause denial of service or escalate privileges.
Three vulnerabilities are flagged with a High severity rating: CVE-2025-20644, CVE-2025-20645, and CVE-2025-20646. Each presents different risks:
-
CVE-2025-20644 (Modem – Denial of Service)
A syntactic correctness issue in certain Modem software versions can cause memory corruption, leading to remote denial of service (DoS). In the worst-case scenario, an attacker controlling a rogue base station could knock a device offline without the user ever knowing. -
CVE-2025-20645 (KeyInstall – Escalation of Privilege)
Missing bounds checks in KeyInstall can lead to out-of-bounds writes. While local privilege escalation requires the attacker to already have System privileges, the consequences include unauthorized code execution that can undermine core system protections. -
CVE-2025-20646 (wlan AP FW – Remote Escalation of Privilege)
A vulnerability in the WLAN firmware allows for potential out-of-bounds writes that could permit remote escalation of privilege. Successful exploitation requires no user interaction, making it especially concerning for Wi-Fi–capable devices in both consumer and enterprise settings.
The bulletin underscores that many popular chipset lines—ranging from the MT67xx/MT68xx/MT69xx series to specialized connectivity and AIoT solutions—are impacted. MediaTek has provided patches to device OEMs at least two months prior to publication, giving vendors time to release over-the-air firmware updates and integrate fixes within operating system patches.
Users are advised to update their devices with the latest security updates as they become available.
Related Posts:
- MediaTek’s February 2025 Security Bulletin: Critical WLAN Vulnerabilities Expose Millions to Remote Attacks
- CVE-2024-20154: Critical RCE Flaw in MediaTek Chipsets Impacts Millions
- MediaTek Patches High-Severity Vulnerability in Smartphone Chipsets (CVE-2024-20125)
- Severe Unauthenticated RCE Flaw (CVSS 9.9) in GNU/Linux Systems Awaiting Full Disclosure
