MediaTek has released a comprehensive security bulletin addressing 16 critical vulnerabilities across its extensive chipset portfolio, affecting devices from smartphones to IoT platforms.
The update, evaluated using the Common Vulnerability Scoring System version 3.1 (CVSS v3.1), includes seven high-severity and nine medium-severity vulnerabilities that impact Bluetooth, WLAN, and various system components.
Device OEMs received notifications and corresponding security patches at least two months prior to this publication, ensuring adequate preparation time for implementation across affected hardware platforms.
Key Takeaways
1. 16 Vulnerabilities Fixed: MediaTek patched 7 high-severity and 9 medium-severity security flaws using CVSS v3.1 evaluation.
2. Affects smartphones, tablets, IoT devices, smart displays, and TV chipsets across MediaTek's product range.
3. High-severity issues enable privilege escalation, remote code execution, and system compromise without user interaction.
4. Medium-severity flaws cause information disclosure and potential system crashes through driver vulnerabilities.
High-Severity Vulnerabilities
The security bulletin identifies seven high-severity vulnerabilities (CVE-2025-20680 through CVE-2025-20686) that pose significant threats to system integrity.
CVE-2025-20680 represents a heap overflow vulnerability in Bluetooth drivers affecting chipsets MT7902, MT7920, MT7921, MT7922, MT7925, and MT7927, classified under CWE-122 (Heap Overflow) with potential for local escalation of privilege (EoP).
This vulnerability stems from incorrect bounds checking in NB SDK release 3.6 and earlier versions.
Multiple WLAN AP driver vulnerabilities (CVE-2025-20681 through CVE-2025-20684) exhibit out-of-bounds write conditions classified as CWE-787, affecting chipsets including MT6890, MT7615, MT7622, MT7663, MT7915, MT7916, MT7981, and MT7986.
These vulnerabilities enable local privilege escalation with user execution privileges, requiring no user interaction for exploitation.
The most concerning threats are CVE-2025-20685 and CVE-2025-20686, which enable remote code execution (RCE) through heap overflow conditions in WLAN AP drivers, potentially allowing attackers to execute arbitrary code without additional privileges.
Medium-Severity Issues
Nine medium-severity vulnerabilities (CVE-2025-20687 through CVE-2025-20695) primarily focus on information disclosure (ID) and denial of service (DoS) attack vectors.
CVE-2025-20687 affects Bluetooth drivers with out-of-bounds read conditions (CWE-125), leading to local denial of service on affected chipsets.
Multiple WLAN vulnerabilities (CVE-2025-20688 through CVE-2025-20693) exhibit similar out-of-bounds read patterns, enabling information disclosure attacks across numerous chipsets, including MT6835, MT6878, MT6886, MT6897, MT6899, MT6985, MT6989, MT6990, MT6991, and various MT7000 series processors.
Buffer underflow vulnerabilities (CVE-2025-20694 and CVE-2025-20695) in Bluetooth firmware present system crash risks classified as CWE-124, affecting extensive chipset ranges including MT2718, MT6639, MT6653, MT8113, MT8115, MT8127, MT8163, MT8168, MT8169, MT8173, MT8183, MT8186, MT8188, MT8195, MT8196, MT8370, MT8390, MT8391, MT8395, MT8512, MT8516, MT8519, MT8676, MT8678, MT8695, MT8696, MT8698, MT8786, MT8792, MT8796, and MT8893.
| CVE | Title | Vulnerability Type | Severity |
| CVE-2025-20680 | Heap overflow in Bluetooth | Elevation of Privilege | High |
| CVE-2025-20681 | Out-of-bounds write in wlan | Elevation of Privilege | High |
| CVE-2025-20682 | Out-of-bounds write in wlan | Elevation of Privilege | High |
| CVE-2025-20683 | Out-of-bounds write in wlan | Elevation of Privilege | High |
| CVE-2025-20684 | Out-of-bounds write in wlan | Elevation of Privilege | High |
| CVE-2025-20685 | Heap overflow in wlan | RCE | High |
| CVE-2025-20686 | Heap overflow in wlan | RCE | High |
| CVE-2025-20687 | Out-of-bounds read in Bluetooth | Denial of Service | Medium |
| CVE-2025-20688 | Out-of-bounds read in wlan | Information Disclosure | Medium |
| CVE-2025-20689 | Out-of-bounds read in wlan | Information Disclosure | Medium |
| CVE-2025-20690 | Out-of-bounds read in wlan | Information Disclosure | Medium |
| CVE-2025-20691 | Out-of-bounds read in wlan | Information Disclosure | Medium |
| CVE-2025-20692 | Out-of-bounds read in wlan | Information Disclosure | Medium |
| CVE-2025-20693 | Out-of-bounds read in wlan | Information Disclosure | Medium |
| CVE-2025-20694 | Buffer underflow in Bluetooth | Denial of Service | Medium |
| CVE-2025-20695 | Buffer underflow in Bluetooth | Denial of Service | Medium |
Mitigation Strategies
The security update addresses vulnerabilities across MediaTek’s diverse product ecosystem, spanning smartphone chipsets, tablet processors, AIoT devices, smart displays, OTT platforms, computer vision solutions, audio processing units, and television chipsets.
Affected software versions include Android 13.0, 14.0, 15.0, various SDK releases up to 7.6.7.2, openWRT 19.07, 21.02, 23.05, and Yocto 4.0 distributions.
Device manufacturers must prioritize implementing these security patches to mitigate potential exploitation risks and maintain system integrity across their product portfolios.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
