CVE-2025-20725 – This vulnerability in the IMS service allows re... (How to Fix)

Q: What is the severity of CVE-2025-20725?

CVE-2025-20725 has a CVSS score of 7.5 (HIGH). This vulnerability in the IMS service allows remote privilege escalation through an out-of-bounds write when a user equipment (UE) connects to a rogue base station controlled by an attacker. No user interaction or additional privileges are required for exploitation. This affects devices using MediaTek chipsets with vulnerable IMS implementations.

📋 TL;DR

This vulnerability in the IMS service allows remote privilege escalation through an out-of-bounds write when a user equipment (UE) connects to a rogue base station controlled by an attacker. No user interaction or additional privileges are required for exploitation. This affects devices using MediaTek chipsets with vulnerable IMS implementations.

💻 Affected Systems

Products:

MediaTek chipsets with IMS service

Versions: Specific versions not publicly detailed in advisory

Operating Systems: Android-based systems using MediaTek chipsets

Default Config Vulnerable: ⚠️ Yes

Notes: Requires connection to rogue base station; affects mobile devices and IoT devices using MediaTek chipsets with IMS functionality.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise allowing attacker to execute arbitrary code with system privileges, potentially gaining persistent access to the device and network.

🟠

Likely Case

Attacker gains elevated privileges on the device, enabling data theft, surveillance, or further exploitation of the device and connected networks.

🟢

If Mitigated

Limited impact if devices are patched and network-level protections prevent connection to rogue base stations.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires attacker to operate a rogue base station, which adds complexity but no authentication is needed once UE connects.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Patch ID: MOLY01671924

Vendor Advisory: https://corp.mediatek.com/product-security-bulletin/November-2025

Restart Required: Yes

Instructions:

1. Check with device manufacturer for firmware updates
2. Apply the patch referenced in MediaTek advisory MOLY01671924
3. Reboot device after patch installation

🔧 Temporary Workarounds

Disable automatic network switching

all

Prevent devices from automatically connecting to unknown base stations

Use trusted networks only

all

Configure devices to only connect to known, trusted cellular networks

🧯 If You Can't Patch

Isolate vulnerable devices from critical networks
Implement network monitoring for rogue base station connections

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against manufacturer's patched versions; devices with unpatched MediaTek IMS service are vulnerable.

Check Version:

Device-specific; typically in Settings > About Phone > Software Information

Verify Fix Applied:

Verify patch MOLY01671924 is applied by checking firmware version or patch status in device settings.

📡 Detection & Monitoring

Log Indicators:

Unexpected base station connections
IMS service crashes or abnormal behavior
Privilege escalation attempts

Network Indicators:

Connections to suspicious base station IDs
Unusual IMS protocol traffic patterns

SIEM Query:

Search for IMS service errors or unexpected network authentication events from mobile devices

📊 Metadata

CVE ID: CVE-2025-20725

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-787

EPSS Score: 0.31% exploit probability (53.4th percentile)

Published: November 4, 2025

Last Updated: November 5, 2025

🔗 References

https://corp.mediatek.com/product-security-bulletin/November-2025 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-20725, you might also want to check these: