In the past few years, we’ve tried our hand at Vulnerability Reward Programs of all kinds of mobile vendors’ products and attack surfaces. Like many others, we’ve encountered as many misses as hits, learning valuable lessons from the mistakes we (and sometimes the vendors) have made.

We presented our experiences in a talk this summer at Troopers and Le Hack.

You can download the slides from here. A video of the presentations is not available yet, but the Troopers one will eventually be available here.

The talk covered several VR projects which were discussed publicly for the first time.

We have now released advisories for all of these newly discussed vulnerabilities, including:

At time of publication, Mediatek has not yet released a security bulletin for 10 of the 11 vulnerabilities that we have reported to them on June 23rd 2025. (CVE-2025-20678 is a duplicate, released in the June security bulletin two weeks prior to our report.)

For these vulnerabilities, we followed our published disclosure policy. In accordance with that, 120 days after our report, we are now releasing these vulnerabilities.

Of the 10, only 3 received a CVE assignment from Mediatek PSIRT. These are classified as Heap Overflow vulnerabilities. Mediatek’s explanation for not assigning a CVE to the other 7 vulnerabilities was that they classify them as denial-of-service vulnerabilities, which they rate as Low severity, and they do not assign CVEs for such vulnerabilities.

Several of those “Low severity” vulnerabilities (in particular: MSV-4624, MSV-4627, MSV-4628, MSV-4629) are based on malformed SDP payloads inside SIP messages. It has been discussed in prior art that this attack vector may be reachable fully end-to-end under certain limited circumstances. In other words, some of the vulnerabilities classified as “Low / No CVE” by Mediatek PSIRT may allow an attacker to arbitrarily and remotely crash the cellular connectivity chip of a device using the phone number of the victim alone.