In wlan AP driver, there is a possible way to inject arbitrary packet due to a missing permission check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00413202; Issue ID: MSV-3303.
The vulnerability results from omission of required authorization verification in the WLAN access point driver (wlan AP driver). A network attacker, without needing any privileges on the device, can craft and inject arbitrary network packets. The attack requires no user interaction, and its vector is fully remote (AV:N, AC:L, PR:N, UI:N), making it particularly dangerous.
An attacker can remotely perform privilege escalation — obtain elevated privileges on the vulnerable device without requiring prior access, threatening complete system takeover (violation of confidentiality, integrity, and availability).
Apply patch with identifier WCNCR00413202 (Issue ID: MSV-3303) available in the MediaTek security bulletin from June 2025 according to references: https://corp.mediatek.com/product-security-bulletin/June-2025
Devices equipped with MediaTek chips MT7915, MT7916, MT6990, MT7981 and OpenWrt systems running on these platforms — specific firmware versions indicated in manufacturer references (MediaTek security bulletin, June 2025).
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HMediatek Mt6890
HWMediatekwszystkie wersjeMediatek Mt6990
HWMediatekwszystkie wersjeMediatek Mt7915
HWMediatekwszystkie wersjeMediatek Mt7916
HWMediatekwszystkie wersjeMediatek Mt7981
HWMediatekwszystkie wersjeMediatek Mt7986
HWMediatekwszystkie wersjeMediatek Mt7990
HWMediatekwszystkie wersjeMediatek Mt7992
HWMediatekwszystkie wersjeMediatek Mt7993
HWMediatekwszystkie wersjeMediatek Software Development Kit
APPMediatek≤ 7.6.7.2Openwrt
OSOpenwrt19.07.021.02.023.05
Related vulnerabilities
Stack-based Buffer Overflow w mdns daemon OpenWrt — możliwy RCE
Stack-based Buffer Overflow w demonie mdns OpenWrt — przepełnienie stosu przez PTR query
Out-of-bounds write w sterowniku WLAN AP MediaTek – privilege escalation
Out-of-bounds write w sterowniku WLAN AP MediaTek — privilege escalation
Out of bounds write w sterowniku wlan AP — eskalacja uprawnień na układach MediaTek