CVE-2024-20149
Published: 06 January 2025
Summary
CVE-2024-20149 is a high-severity Improper Validation of Specified Quantity in Input (CWE-1284) vulnerability in Mediatek Lr12. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 19.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-20149 is a vulnerability in the Modem component stemming from improper input validation (CWE-1284), which can trigger a system crash. It affects MediaTek products, as detailed in their product security bulletin.
The vulnerability enables a remote denial-of-service attack, exploitable by any unauthenticated attacker over the network with low attack complexity and no user interaction required. Successful exploitation results in high-impact availability disruption (A:H) without affecting confidentiality or integrity, earning a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
MediaTek advisories recommend applying patches MOLY01231341, MOLY01263331, or MOLY01233835 to mitigate the issue (tracked as MSV-2165). Full details are available in the January 2025 product security bulletin at https://corp.mediatek.com/product-security-bulletin/January-2025.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-17864
Vulnerability details
In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01231341 / MOLY01263331 /…
more
MOLY01233835; Issue ID: MSV-2165.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote network exploitation of improper input validation in modem component directly enables application/system crash for availability impact (T1499.004).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires timely identification, reporting, and correction of the Modem flaw via patches MOLY01231341, MOLY01263331, or MOLY01233835 to eliminate the improper input validation vulnerability.
Directly mandates information input validation mechanisms at entry points like the Modem to prevent system crashes from improper input handling.
Provides protection against or limits the effects of remote denial-of-service events exploiting the unvalidated network inputs in the Modem component.