MediaTek reveals host of security vulnerabilities, so patch now

Are the price of flagships about to drop? (Image credit: Future)

MediaTek releases security advisory detailing 13 vulnerabilities
Among them is a critical-severity RCE, plaguing 51 chipsets
Flaws have been addressed and patches are available, so update now

MediaTek has disclosed more than a dozen vulnerabilities affecting various elements of its products.

Among the flaws is a remote code execution (RCE) vulnerability affecting the modem component, found in 51 chipsets. Tracked as CVE-2024-20154, it was given a “critical” severity rating, although the exact score was not disclosed (it’s somewhere in the 9.0-10.0 range).

“In Modem, there is a possible out of bounds write due to a missing bounds check. This could lead to remote code execution, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed,” MediaTek explained in its security advisory. “User interaction is not needed for exploitation.”

No evidence of abuse

While the list of affected chipsets is fairly extensive and includes devices used in IoT gear, Chromebooks, cars, and smartphones, the number of software versions is only six. The entire list can be found on this link.

Among the other flaws are seven that were rated as “high severity”, including privilege escalations, denial of service, remote code execution, information leakage, and more. MediaTek said it notified device manufacturers two months ago, suggesting that the vulnerabilities have since been patched for the most part.

Prior to this January 2025 update, MediaTek addressed critical vulnerabilities in its chipsets in November 2024. That Product Security Bulletin detailed several high-severity vulnerabilities, including CVE-2024-20104 and CVE-2024-20106, which could lead to privilege escalation and arbitrary code execution. These flaws affected a range of chipsets, and users were advised to apply the latest security updates as soon as possible.

At press time, there was no evidence that any of these flaws were being abused in the wild. However, since threat actors will often scan the internet for endpoints vulnerable to known flaws, users are advised not to delay the patch.

Via The Register

Many top 5G phones could have major security issues - what you need to know
Here's a list of the best antivirus tools on offer
These are the best endpoint protection tools right now

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.