Login Sign Up

CVE-2022-20093

7.8 HIGH

📋 TL;DR

This vulnerability in MediaTek telephony components allows local attackers to disable SMS message reception without proper permission checks. It enables local privilege escalation without requiring user interaction or additional execution privileges. Affects devices using vulnerable MediaTek chipsets.

💻 Affected Systems

Products:
  • MediaTek chipset-based smartphones and devices
Versions: Specific MediaTek firmware versions before patch ALPS06498868
Operating Systems: Android with MediaTek telephony stack
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices using vulnerable MediaTek telephony firmware. Exact device models not specified in bulletin.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical access or malicious app could permanently disable SMS functionality, potentially interfering with two-factor authentication, emergency alerts, and communication services.

🟠

Likely Case

Malicious apps could silently disable SMS reception, preventing users from receiving important messages including security codes and notifications.

🟢

If Mitigated

With proper app sandboxing and permission controls, exploitation would be limited to apps with telephony permissions.

🌐 Internet-Facing: LOW - Requires local access or malicious app installation.
🏢 Internal Only: MEDIUM - Could be exploited by malicious apps on corporate devices to disrupt SMS-based authentication.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access or malicious app installation. No user interaction needed once app is installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware with patch ID ALPS06498868

Vendor Advisory: https://corp.mediatek.com/product-security-bulletin/May-2022

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates. 2. Apply MediaTek-provided patch ALPS06498868. 3. Reboot device after update.

🔧 Temporary Workarounds

Restrict app permissions

android

Review and restrict telephony permissions for non-essential apps

Disable unknown sources

android

Prevent installation of apps from unknown sources to reduce attack surface

🧯 If You Can't Patch

  • Monitor for suspicious apps requesting telephony permissions
  • Implement mobile device management with app whitelisting

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against manufacturer's patched versions. Look for patch ALPS06498868 in system updates.

Check Version:

Settings > About Phone > Build Number (varies by device)

Verify Fix Applied:

Verify firmware version includes patch ALPS06498868. Test SMS reception functionality.

📡 Detection & Monitoring

Log Indicators:

  • Unusual telephony permission requests
  • SMS service disruption logs

Network Indicators:

  • SMS delivery failures without network issues

SIEM Query:

android.permission.*telephony OR sms_failure AND NOT network_issue

📊 Metadata

CVE ID: CVE-2022-20093
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
Published: May 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-20093, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)