Command Injection Vulnerability in MediaTek WLAN Service
CVE-2023-20820

7.2HIGH

Key Information:

Vendor: MediaTek
Status: Mt6890, Mt7603, Mt7612, Mt7613, Mt7615, Mt7622, Mt7626, Mt7629, Mt7915, Mt7916, Mt7981, Mt7986, Mt7990
Vendor: CVE Published:; 4 September 2023

Summary

The WLAN service developed by MediaTek is susceptible to a command injection vulnerability caused by inadequate input validation. This security flaw could allow an attacker to execute remote code with system-level privileges, enabling potential unauthorized access and manipulation of the system. Importantly, user interaction is not necessary for an attacker to exploit this vulnerability, increasing the risk of exploitation for affected systems. MediaTek has issued a patch (Patch ID: WCNCR00244189) to address this issue. For detailed information, refer to the product security bulletin from MediaTek.

Affected Version(s)

MT6890, MT7603, MT7612, MT7613, MT7615, MT7622, MT7626, MT7629, MT7915, MT7916, MT7981, MT7986, MT7990 OpenWRT 19.07, 21.02

References

https://corp.mediatek.com/product-security-bulletin/Septe...

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 4, 2023
Vulnerability Reserved
Oct 28, 2022