MediaTek has released a critical security update addressing multiple vulnerabilities in its chipsets, with one critical flaw that could potentially allow attackers to execute malicious code remotely on affected devices without user interaction.
The bulletin, published today, highlights significant security risks affecting a wide array of devices, including smartphones, tablets, IoT devices, smart displays, and various multimedia equipment.
This security update centers on CVE-2025-20654, a critical vulnerability in the WLAN service component of multiple MediaTek chipsets.
This flaw stems from an out-of-bounds write vulnerability caused by an incorrect bounds check, classified under CWE-787 (Out-of-bounds Write).
The vulnerability enables remote code execution without requiring additional execution privileges or user interaction.
The vulnerability affects several widely-deployed chipsets, including MT6890, MT7622, MT7915, MT7916, MT7981, and MT7986.
Application Security is no longer just a defensive play, Time to Secure -> Free Webinar
Affected software versions encompass SDK version 7.4.0.1 for MT7622 and MT7915 chipsets, SDK version 7.6.7.0 for MT7916, MT7981, and MT7986 chipsets, as well as OpenWrt versions 19.07 and 21.02 for the MT6890 chipset.
The security bulletin also addresses several high-severity vulnerabilities, including CVE-2025-20655, CVE-2025-20656, CVE-2025-20657, and CVE-2025-20658.
These vulnerabilities could potentially lead to remote code execution, local privilege escalation, or denial of service in various components of affected devices.
Additionally, six medium-severity flaws (CVE-2025-20659 through CVE-2025-20664) have been identified and patched.
Manufacturers using affected MediaTek chipsets are strongly advised to review the complete Product Security Bulletin and implement the recommended patches immediately.
End-users should ensure their devices are running the latest firmware versions by checking for and installing available updates.
This security update exemplifies MediaTek’s ongoing commitment to maintaining the integrity and security of its technology ecosystem, protecting millions of devices and their users worldwide from potential exploitation.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try 50 Request for Free
Microsoft has launched Researcher with Computer Use in Microsoft 365 Copilot, marking a significant advancement…
A new wave of cyber threats is emerging as criminals increasingly weaponize AdaptixC2, a free…
Chinese-affiliated threat actor UNC6384 has been actively leveraging a critical Windows shortcut vulnerability to target…
Threat actors operating under the control of North Korea's regime have demonstrated continued technical sophistication…
Sophisticated threat actors have orchestrated a coordinated multilingual phishing campaign targeting financial and government organizations…
AzureHound, an open-source data collection tool designed for legitimate penetration testing and security research, has…