CVE-2025-20649

Published: Mar 3, 2025Modified: Apr 22, 2025

6.5

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

In Bluetooth Stack SW, there is a possible information disclosure due to a missing permission check. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00396437; Issue ID: MSV-2184.

Affected (2)

Products: Mediatek: Software Development Kit · Openwrt: Openwrt

Mediatek

1 product

Software Development Kit

Openwrt

1 product

Openwrt

Configuration A

2 vulnerable · 9 platform

Vulnerable Software	Affected Versions
Mediatek Software Development Kit	Up to 3.6
Openwrt Openwrt	Version 23.05

Running on/with	Platform Versions
Mediatek Mt6880	All versions
Mediatek Mt6890	All versions
Mediatek Mt6980	All versions
Mediatek Mt6990	All versions
Mediatek Mt7663	All versions
Mediatek Mt7902	All versions
Mediatek Mt7925	All versions
Mediatek Mt7927	All versions
Mediatek Mt7961	All versions

Related CWEs

CWE-280

Improper Handling of Insufficient Permissions or Privileges

The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state.

References (1)

https://corp.mediatek.com/product-security-bulletin/March-2025

Source: security@mediatek.com

Vendor Advisory

Timeline

No history available yet.