Cyber Posture

CVE-2025-20637

High

Published: 03 February 2025

Published
03 February 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0481 89.6th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-20637 is a high-severity Uncaught Exception (CWE-248) vulnerability in Mediatek Software Development Kit. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 10.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Directly remediates the uncaught exception vulnerability by applying the vendor-provided patch WCNCR00399035, preventing remote DoS exploitation.

SC-5 Denial-of-service Protection good match
prevent

Implements denial-of-service protections such as rate limiting and traffic filtering to block remote attacks triggering the system hang in network hardware.

SI-11 Error Handling partial match
prevent

Ensures proper error handling for exceptions to avoid system hangs from malformed network inputs, addressing CWE-248 and CWE-754 root causes.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Remote unauthenticated exploitation of uncaught exception in network hardware directly enables system/application crash for DoS impact.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

In network HW, there is a possible system hang due to an uncaught exception. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00399035; Issue ID:…

more

MSV-2380.

Deeper analysisAI

CVE-2025-20637 is a vulnerability in network hardware where an uncaught exception can cause a system hang. This issue affects MediaTek network hardware components, as detailed in the vendor's product security bulletin. Associated with CWE-248 (Uncaught Exception) and CWE-754 (Improper Check for Unusual or Exceptional Conditions), it has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high availability impact with low attack complexity.

A remote attacker can exploit this vulnerability over the network without requiring authentication privileges or user interaction. Successful exploitation leads to a denial of service by triggering a system hang, disrupting service availability but without compromising confidentiality or integrity.

MediaTek's February 2025 product security bulletin provides mitigation details, including Patch ID WCNCR00399035 and Issue ID MSV-2380, which address the vulnerability in affected components. Security practitioners should consult the bulletin at https://corp.mediatek.com/product-security-bulletin/February-2025 for patch deployment instructions and verification steps.

Details

CWE(s)
CWE-248CWE-754

Affected Products

mediatek
software development kit
≤ 7.6.7.0

CVEs Like This One

CVE-2026-20401Same vendor: Mediatek
CVE-2025-20646Same product: Mediatek Mt7981
CVE-2025-20631Same product: Mediatek Mt7981
CVE-2025-20632Same product: Mediatek Mt7981
CVE-2025-20633Same product: Mediatek Software Development Kit
CVE-2026-20430Same product: Mediatek Mt7981
CVE-2026-0109Shared CWE-754
CVE-2026-32770Shared CWE-248
CVE-2025-20634Same vendor: Mediatek
CVE-2026-20423Same vendor: Mediatek

References