CVE-2025-20637

High

Published: 03 February 2025

Published

03 February 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Score 0.0481 89.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

In network HW, there is a possible system hang due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00399035; Issue ID: MSV-2380.

Security Summary

CVE-2025-20637 is a vulnerability in network hardware where an uncaught exception can cause a system hang. This issue affects MediaTek network hardware components, as detailed in the vendor's product security bulletin. Associated with CWE-248 (Uncaught Exception) and CWE-754 (Improper Check for Unusual or Exceptional Conditions), it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with low attack complexity.

A remote attacker can exploit this vulnerability over the network without requiring authentication privileges or user interaction. Successful exploitation leads to a denial of service by triggering a system hang, disrupting service availability but without compromising confidentiality or integrity.

MediaTek's February 2025 product security bulletin provides mitigation details, including Patch ID WCNCR00399035 and Issue ID MSV-2380, which address the vulnerability in affected components. Security practitioners should consult the bulletin at https://corp.mediatek.com/product-security-bulletin/February-2025 for patch deployment instructions and verification steps.

Details

CWE(s): CWE-248CWE-754

Affected Products

mediatek

software development kit

≤ 7.6.7.0

References

https://corp.mediatek.com/product-security-bulletin/February-2025
Vendor Advisory · security@mediatek.com