Cyber Posture

CVE-2024-20150

HighRCE

Published: 06 January 2025

Published
06 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0736 91.8th percentile
Risk Priority 19 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-20150 is a high-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Mediatek Lr12A. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 8.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly requires timely remediation of known flaws like this modem logic error via patches such as MOLY01412526 to prevent remote DoS exploitation.

SC-5 Denial-of-service Protection good match
prevent

Implements protections specifically against denial-of-service attacks that cause system crashes from remote network access to the vulnerable modem component.

SI-10 Information Input Validation good match
prevent

Validates untrusted network inputs to the modem to block malformed data triggering the deserialization-related logic error (CWE-502).

NVD Description

In Modem, there is a possible system crash due to a logic error. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01412526; Issue ID: MSV-2018.

Deeper analysisAI

CVE-2024-20150 is a logic error vulnerability in the Modem component of MediaTek products, which can cause a system crash. Published on January 6, 2025, it is tracked with Patch ID MOLY01412526 and Issue ID MSV-2018, and is associated with CWE-502 (Deserialization of Untrusted Data). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with no confidentiality or integrity effects.

Remote attackers can exploit this vulnerability without authentication or user interaction, requiring only network access and low complexity. Successful exploitation leads to a denial of service via system crash, with no additional execution privileges needed.

MediaTek's January 2025 Product Security Bulletin at https://corp.mediatek.com/product-security-bulletin/January-2025 provides details on the issue, including the associated patch MOLY01412526 for mitigation. Security practitioners should apply the relevant firmware updates to affected devices.

Details

CWE(s)
CWE-502

Affected Products

mediatek
lr12a
all versions
mediatek
lr13
all versions
mediatek
nr15
all versions
mediatek
nr16
all versions
mediatek
nr17
all versions

CVEs Like This One

CVE-2024-20149Same product: Mediatek Lr13
CVE-2026-20434Same product: Mediatek Lr12A
CVE-2025-20727Same product: Mediatek Lr12A
CVE-2024-20154Same product: Mediatek Lr12A
CVE-2025-20708Same product: Mediatek Mt2735
CVE-2025-20634Same product: Mediatek Mt2737
CVE-2026-20433Same product: Mediatek Mt2735
CVE-2026-20432Same product: Mediatek Mt2735
CVE-2026-20401Same product: Mediatek Mt2735
CVE-2025-20646Same product: Mediatek Mt6890

References