MediaTek

Researchers have identified critical vulnerabilities in MediaTek wireless LAN (WLAN) drivers that could potentially expose millions of devices to severe security risks. 

These vulnerabilities, tracked under the Common Vulnerabilities and Exposures (CVE) identifiers CVE-2025-20631, CVE-2025-20632, and CVE-2025-20633, allow attackers to exploit flaws in the WLAN Access Point (AP) drivers of multiple MediaTek chipsets.

The vulnerabilities, all categorized as out-of-bounds write issues (maintained under CWE-787), stem from incorrect bounds checking in the WLAN drivers. 

An out-of-bounds write occurs when a program writes data outside allocated memory space, potentially leading to memory corruption, privilege escalation, or remote code execution (RCE).

Technical Overview of the WLAN Vulnerabilities

CVE-2025-20631

A high-severity vulnerability, identified as CVE-2025-20631, has been discovered in MediaTek chipsets.

This vulnerability allows for local privilege escalation through an out-of-bounds write exploit. Critically, this attack requires no user interaction, making it particularly dangerous. 

The affected chipsets include MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, and MT7986.

The vulnerability impacts MediaTek’s Software Development Kit (SDK) version 7.6.7.2 and all earlier versions. 

CVE-2025-20632 

CVE-2025-20632 is a high-severity vulnerability that allows local attackers to gain elevated privileges.

This is achieved by exploiting an out-of-bounds write in the WLAN AP driver. The affected chipsets include MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, and MT7986.  

MediaTek’s SDK release 7.6.7.2 and earlier are affected by this vulnerability.

CVE-2025-20633 

CVE-2025-20633 is a high-severity vulnerability that allows for remote code execution (RCE). Attackers can exploit an out-of-bounds write in the WLAN AP driver to achieve this. 

This vulnerability does not require user interaction or additional execution privileges. The affected chipsets are MT7603, MT7615, MT7622, and MT7915. 

This issue affects MediaTek’s SDK releases 7.4.0.1 and earlier.

Details of the Other Security Vulnerabilities:

CVE IDVulnerability TypeDescription
CVE-2025-20634RCEIn Modem, a possible out-of-bounds write due to a missing bounds check could lead to remote code execution if connected to a rogue base station. No user interaction needed.
CVE-2025-20635EoPIn V6 DA, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. User interaction is needed for exploitation.
CVE-2025-20636EoPIn secmem, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. No user interaction needed.
CVE-2025-20637DoSIn network HW, an uncaught exception could cause a system hang, leading to remote denial of service. No user interaction needed.
CVE-2024-20141EoPIn V5 DA, a possible write-what-where condition could lead to local privilege escalation if the attacker has physical access and user interaction is needed.
CVE-2024-20142EoPIn V5 DA, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. User interaction is needed for exploitation.
CVE-2025-20638IDIn DA, a possible read of uninitialized heap data could lead to local information disclosure. User interaction is needed for exploitation.
CVE-2025-20639EoPIn DA, a possible out-of-bounds write due to a missing bounds check could lead to local privilege escalation. User interaction is needed for exploitation.
CVE-2025-20640IDIn DA, a possible out-of-bounds read due to a missing bounds check could lead to local information disclosure. User interaction is needed for exploitation.
CVE-2025-20641EoPIn DA, a possible out-of-bounds write in Flash Tool V5 old-arch Lib could lead to local privilege escalation. User interaction is needed for exploitation.
CVE-2025-20642EoPIn DA, a possible out-of-bounds write in Flash Tool V5 old-arch Lib could lead to local privilege escalation. User interaction is needed for exploitation.
CVE-2025-20643IDDebug messages in Flash Tool V5 old-arch Lib could reveal sensitive information to attackers. User interaction is needed for exploitation.
CVE-2024-20147DoSIn Bluetooth FW, a reachable assertion due to improper exception handling could lead to remote denial of service. No user interaction is needed.

The vulnerabilities pose a severe security risk, especially for IoT devices, routers, and smartphones leveraging MediaTek chipsets. MediaTek has been alerted to these vulnerabilities by external researchers and is expected to release a patched version of the affected SDKs.

Organizations and consumers alike should remain vigilant, ensuring timely updates to avoid falling prey to potential attacks exploiting these flaws.

Guru Baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.