Cyber Resilience

CVE-2025-20637

High

Published: 03 February 2025

Published
03 February 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0481 89.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20637 is a high-severity Uncaught Exception (CWE-248) vulnerability in Mediatek Software Development Kit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 10.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

In network hardware from MediaTek, an uncaught exception can trigger a system hang, resulting in remote denial of service. The flaw is tracked as CWE-248 and CWE-754, carries a CVSS 3.1 score of 7.5, and requires no privileges or user interaction for exploitation. Patch ID WCNCR00399035 addresses Issue ID MSV-2380.

An unauthenticated remote attacker can send crafted network traffic to the affected hardware and cause the device to become unresponsive, producing a denial-of-service condition without further access or interaction.

MediaTek’s February 2025 product security bulletin lists the issue and directs users to the referenced patch for remediation.

EPSS for the CVE reached a peak of 0.0617 on 2026-03-15 before receding to the current value of 0.0481.

EU & UK References

Vulnerability details

In network HW, there is a possible system hang due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00399035; Issue ID:…

more

MSV-2380.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Remote unauthenticated exploitation of uncaught exception in network hardware directly enables system/application crash for DoS impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-20401Same vendor: Mediatek
CVE-2025-20646Same product: Mediatek Mt7981
CVE-2025-20631Same product: Mediatek Mt7981
CVE-2025-20632Same product: Mediatek Mt7981
CVE-2024-20149Same vendor: Mediatek
CVE-2024-20150Same vendor: Mediatek
CVE-2025-20633Same product: Mediatek Software Development Kit
CVE-2026-20452Same product: Mediatek Mt7981
CVE-2026-20430Same product: Mediatek Mt7981
CVE-2026-4693Shared CWE-754

Affected Assets

mediatek
software development kit
≤ 7.6.7.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the uncaught exception vulnerability by applying the vendor-provided patch WCNCR00399035, preventing remote DoS exploitation.

prevent

Implements denial-of-service protections such as rate limiting and traffic filtering to block remote attacks triggering the system hang in network hardware.

prevent

Ensures proper error handling for exceptions to avoid system hangs from malformed network inputs, addressing CWE-248 and CWE-754 root causes.

References