FKIE_CVE-2025-20674

Vulnerability from fkie_nvd - Published: 2025-06-02 03:15 - Updated: 2025-07-18 17:16
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
In wlan AP driver, there is a possible way to inject arbitrary packet due to a missing permission check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00413202; Issue ID: MSV-3303.
References
security@mediatek.comhttps://corp.mediatek.com/product-security-bulletin/June-2025Vendor Advisory
Impacted products
Vendor Product Version
openwrt openwrt 19.07.0
openwrt openwrt 21.02.0
mediatek mt6890 -
openwrt openwrt 21.02.0
openwrt openwrt 23.05
mediatek mt6990 -
mediatek software_development_kit *
mediatek mt6890 -
mediatek mt6990 -
mediatek mt7915 -
mediatek mt7916 -
mediatek mt7981 -
mediatek mt7986 -
mediatek mt7990 -
mediatek mt7992 -
mediatek mt7993 -
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:openwrt:openwrt:19.07.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "4FA469E2-9E63-4C9A-8EBA-10C8C870063A",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:openwrt:openwrt:21.02.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "F0133207-2EED-4625-854F-8DB7770D5BF7",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "171D1C08-F055-44C0-913C-AA2B73AF5B72",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:openwrt:openwrt:21.02.0:-:*:*:*:*:*:*",
              "matchCriteriaId": "F0133207-2EED-4625-854F-8DB7770D5BF7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:openwrt:openwrt:23.05:*:*:*:*:*:*:*",
              "matchCriteriaId": "AED95D06-8EC6-4070-BE3C-E0F851D7FFC1",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:mediatek:mt6990:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A76806D-A4E3-466A-90CB-E9FFE478E7A0",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:mediatek:software_development_kit:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "0DD86CC1-BD46-42D2-9112-190CCAC96B30",
              "versionEndIncluding": "7.6.7.2",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        },
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:h:mediatek:mt6890:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "171D1C08-F055-44C0-913C-AA2B73AF5B72",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt6990:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "1A76806D-A4E3-466A-90CB-E9FFE478E7A0",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7915:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "3AB22996-9C22-4B6C-9E94-E4C055D16335",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7916:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "DD5AA441-5381-4179-89EB-1642120F72B4",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7981:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "490CD97B-021F-4350-AEE7-A2FA866D5889",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7986:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "40A9E917-4B34-403F-B512-09EEBEA46811",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7990:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "4901B2A5-B0C8-4A0C-AC17-87D469744817",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7992:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "50D01D7D-A88D-471D-A23A-42AF4DF82952",
              "vulnerable": false
            },
            {
              "criteria": "cpe:2.3:h:mediatek:mt7993:-:*:*:*:*:*:*:*",
              "matchCriteriaId": "76653163-7627-4C63-A5E2-6277C0EFE23E",
              "vulnerable": false
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ],
      "operator": "AND"
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "In wlan AP driver, there is a possible way to inject arbitrary packet due to a missing permission check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00413202; Issue ID: MSV-3303."
    },
    {
      "lang": "es",
      "value": "En el controlador del punto de acceso WLAN, existe una forma posible de inyectar un paquete arbitrario debido a la falta de verificaci\u00f3n de permisos. Esto podr\u00eda provocar una escalada remota de privilegios sin necesidad de permisos de ejecuci\u00f3n adicionales. No se requiere la interacci\u00f3n del usuario para su explotaci\u00f3n. ID de parche: WCNCR00413202; ID de problema: MSV-3303."
    }
  ],
  "id": "CVE-2025-20674",
  "lastModified": "2025-07-18T17:16:22.560",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 9.8,
          "baseSeverity": "CRITICAL",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 5.9,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2025-06-02T03:15:24.737",
  "references": [
    {
      "source": "security@mediatek.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://corp.mediatek.com/product-security-bulletin/June-2025"
    }
  ],
  "sourceIdentifier": "security@mediatek.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-863"
        }
      ],
      "source": "security@mediatek.com",
      "type": "Secondary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.