Researchers have identified critical vulnerabilities in MediaTek wireless LAN (WLAN) drivers that could potentially expose millions of devices to severe security risks.
These vulnerabilities, tracked under the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2025-20631, CVE-2025-20632, and CVE-2025-20633, allow attackers to exploit flaws in the WLAN Access Point (AP) drivers of multiple MediaTek chipsets.
The vulnerabilities, all categorized as out-of-bounds write issues (maintained under CWE-787), stem from incorrect bounds checking in the WLAN drivers.
An out-of-bounds write occurs when a program writes data outside allocated memory space, potentially leading to memory corruption, privilege escalation, or remote code execution (RCE).
Technical Overview of the WLAN Vulnerabilities
CVE-2025-20631
A high-severity vulnerability, identified as CVE-2025-20631, has been discovered in MediaTek chipsets.
This vulnerability allows for local privilege escalation through an out-of-bounds write exploit. Critically, this attack requires no user interaction, making it particularly dangerous.
The affected chipsets include MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, and MT7986.
The vulnerability impacts MediaTek’s Software Development Kit (SDK) version 7.6.7.2 and all earlier versions.
CVE-2025-20632
CVE-2025-20632 is a high-severity vulnerability that allows local attackers to gain elevated privileges.
This is achieved by exploiting an out-of-bounds write in the WLAN AP driver. The affected chipsets include MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, and MT7986.
MediaTek’s SDK release 7.6.7.2 and earlier are affected by this vulnerability.
CVE-2025-20633
CVE-2025-20633 is a high-severity vulnerability that allows for remote code execution (RCE). Attackers can exploit an out-of-bounds write in the WLAN AP driver to achieve this.
This vulnerability does not require user interaction or additional execution privileges. The affected chipsets are MT7603, MT7615, MT7622, and MT7915.
This issue affects MediaTek’s SDK releases 7.4.0.1 and earlier.
Details of the Other Security Vulnerabilities:
CVE ID | Vulnerability Type | Description |
CVE-2025-20634 | RCE | In Modem, a possible out-of-bounds write due to a missing bounds check could lead to remote code execution if connected to a rogue base station. No user interaction needed. |
CVE-2025-20635 | EoP | In V6 DA, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. User interaction is needed for exploitation. |
CVE-2025-20636 | EoP | In secmem, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. No user interaction needed. |
CVE-2025-20637 | DoS | In network HW, an uncaught exception could cause a system hang, leading to remote denial of service. No user interaction needed. |
CVE-2024-20141 | EoP | In V5 DA, a possible write-what-where condition could lead to local privilege escalation if the attacker has physical access and user interaction is needed. |
CVE-2024-20142 | EoP | In V5 DA, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. User interaction is needed for exploitation. |
CVE-2025-20638 | ID | In DA, a possible read of uninitialized heap data could lead to local information disclosure. User interaction is needed for exploitation. |
CVE-2025-20639 | EoP | In DA, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. User interaction is needed for exploitation. |
CVE-2025-20640 | ID | In DA, a possible out-of-bounds read due to a missing bounds check could lead to local information disclosure. User interaction is needed for exploitation. |
CVE-2025-20641 | EoP | In DA, a possible out-of-bounds write in Flash Tool V5 old-arch Lib could lead to local privilege escalation. User interaction is needed for exploitation. |
CVE-2025-20642 | EoP | In DA, a possible out-of-bounds write in Flash Tool V5 old-arch Lib could lead to local privilege escalation. User interaction is needed for exploitation. |
CVE-2025-20643 | ID | Debug messages in Flash Tool V5 old-arch Lib could reveal sensitive information to attackers. User interaction is needed for exploitation. |
CVE-2024-20147 | DoS | In Bluetooth FW, a reachable assertion due to improper exception handling could lead to remote denial of service. No user interaction is needed. |
The vulnerabilities pose a severe security risk, especially for IoT devices, routers, and smartphones leveraging MediaTek chipsets. MediaTek has been alerted to these vulnerabilities by external researchers and is expected to release a patched version of the affected SDKs.
Organizations and consumers alike should remain vigilant, ensuring timely updates to avoid falling prey to potential attacks exploiting these flaws.