MediaTek July 2025 Security Bulletin: Heap Overflows, WLAN Flaws, and Bluetooth Risks Threaten Billions of Devices

MediaTek’s July 2025 Product Security Bulletin exposes a series of critical and high-severity vulnerabilities affecting a wide range of their chipsets, from smartphones and AIoT devices to smart TVs and audio solutions. With threats ranging from local privilege escalation to remote code execution (RCE) and information disclosure, the bulletin underscores the growing attack surface in embedded systems and connected platforms.

CVE-2025-20680: Heap Overflow in Bluetooth Driver

In this vulnerability, the Bluetooth driver contains a flaw in bounds checking that can lead to heap overflow, enabling local escalation of privilege (EoP) without requiring user interaction. It affects chipsets like MT7902, MT7920, MT7921, MT7922, MT7925, and MT7927, particularly those running NB SDK release 3.6 and earlier.

CVE-2025-20681 to CVE-2025-20684: A Cluster of WLAN EoP Vulnerabilities

Four additional vulnerabilities affect the wlan AP driver, each resulting in out-of-bounds writes that can lead to local EoP. Affected chipsets include MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, and MT7986, and are found in SDK releases up to 7.6.7.2 and OpenWRT versions 19.07 and 21.02.

The common factor across these vulnerabilities is a faulty bounds check in the wlan driver logic, which—if exploited—allows an attacker with basic user privileges to escalate control over the system.

CVE-2025-20685 and CVE-2025-20686: Heap Overflows Enable Remote Code Execution

These two vulnerabilities mark a significant escalation, enabling remote (proximal/adjacent) code execution in the wlan AP driver. They exploit similar out-of-bounds write flaws in chipsets such as MT6890, MT7915, MT7916, MT7981, and MT7986, running on SDK 7.6.7.2 and earlier.

These RCE flaws represent a substantial risk for Wi-Fi-enabled IoT devices, especially in environments where multiple untrusted devices communicate over a shared network.

CVE-2025-20687: Bluetooth DoS via Out-of-Bounds Read

In a medium-severity vulnerability, improper bounds checking in the Bluetooth driver allows out-of-bounds reads, potentially causing denial-of-service (DoS) conditions. Impacted chipsets include MT7902 through MT7927, found in NB SDK 3.6 and earlier.

CVE-2025-20688 to CVE-2025-20692: Information Disclosure in WLAN Drivers

Five vulnerabilities were identified in the wlan AP driver, allowing local information disclosure via out-of-bounds reads. They affect a wide range of chipsets including MT7615, MT7622, MT7663, MT7915, and MT7986, and apply to the same OpenWRT and SDK versions mentioned previously.

These flaws, though less severe, could allow attackers to extract sensitive memory contents or session data during exploitation.

CVE-2025-20693: Remote Information Disclosure via WLAN STA Driver

A particularly wide-reaching vulnerability, CVE-2025-20693, affects the wlan STA driver across dozens of chipsets—from MT2737 and MT6886 to MT8893 and MT8796—running on Android 13 through 15, OpenWRT 21.02 / 23.05, and Yocto 4.0. The issue allows remote, adjacent attackers to extract memory contents without needing additional privileges or user interaction.

CVE-2025-20694 and CVE-2025-20695: Buffer Underflows in Bluetooth Firmware

Two medium-severity vulnerabilities in Bluetooth firmware affect chipsets ranging from MT2718 to MT8796, across Android and embedded Linux distributions. The bugs cause buffer underflows, which can lead to system crashes and remote DoS conditions. As with the other Bluetooth issues, no user interaction is required.

What Should Users and OEMs Do?

MediaTek strongly urges OEMs to apply the available patches across affected chipsets, and for end-users to install device firmware updates as soon as they become available. Given the range of products impacted—from smartphones to smart TVs and industrial devices—organizations should audit their environments for unpatched MediaTek-powered systems.

Related Posts:

• MediaTek’s April 2025 Security Bulletin: Critical WLAN Vulnerability Exposes Chipsets
• MediaTek’s February 2025 Security Bulletin: Critical WLAN Vulnerabilities Expose Millions to Remote Attacks
• MediaTek’s June 2025 Security Bulletin: High-Severity Flaw & Multiple Medium Risks Uncovered
• Critical EoP Flaw in Microsoft’s Remote Registry: Researcher Publishes PoC for CVE-2024-43532
• Researcher Releases PoC Exploit for Windows Kernel EoP Vulnerability (CVE-2024-26218)