CVE-2025-20665 in MT6580info

Summary

by MITRE • 05/05/2025

In devinfo, there is a possible information disclosure due to a missing SELinux policy. This could lead to local information disclosure of device identifier with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: ALPS09555228; Issue ID: MSV-2760.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 05/05/2025

The vulnerability identified as CVE-2025-20665 resides within the devinfo component of Android systems, representing a significant security gap that stems from inadequate mandatory access controls. This issue manifests as a missing SELinux policy that should normally restrict access to sensitive device identifiers. The flaw operates at the kernel level where device information is exposed without proper authorization mechanisms, creating a pathway for unauthorized data disclosure. The vulnerability specifically impacts the device identifier information that would typically be restricted to authorized system processes only, yet remains accessible to any local user or process due to the missing security policy enforcement.

The technical implementation of this vulnerability demonstrates a failure in the security model where SELinux policies that should enforce access control for device information are either absent or improperly configured. This represents a direct violation of the principle of least privilege as defined in cybersecurity frameworks, where processes should only have access to resources necessary for their operation. The missing policy creates a security boundary failure that allows local processes to access device identifiers that should remain protected within the system's security architecture. This type of flaw commonly maps to CWE-250, which addresses improper privileges, and can be categorized under ATT&CK technique T1082 for system information discovery. The vulnerability does not require any special execution privileges or user interaction, making it particularly concerning as it can be exploited by any local user with basic system access.

The operational impact of this vulnerability extends beyond simple information disclosure, as device identifiers can serve as critical components in tracking and identifying specific devices within network environments. These identifiers may include unique hardware serial numbers, model identifiers, or other device-specific attributes that could be leveraged in various attack scenarios including device fingerprinting, targeted attacks, or even supply chain compromise attempts. The lack of user interaction requirements means that exploitation can occur automatically without any deliberate action from an attacker, making this vulnerability particularly dangerous in environments where local access is possible. This flaw essentially undermines the integrity of the device's security posture by exposing information that should remain confidential within the system's access control framework.

Mitigation strategies for this vulnerability must focus on implementing the proper SELinux policies that were missing from the original configuration. The patch ALPS09555228 specifically addresses this issue by restoring the necessary security policies that govern access to device information. Organizations should ensure that all devices receive this patch promptly and verify that the SELinux policies are correctly enforced through system audits and compliance checks. System administrators should also implement regular security assessments to identify any other missing security policies that could create similar vulnerabilities. The remediation process should include validating that device identifiers are no longer accessible to unauthorized processes while maintaining legitimate system functionality. Additionally, monitoring systems should be configured to detect any unauthorized access attempts to device information, providing an additional layer of defense against potential exploitation of this vulnerability.

Responsible

MediaTek

Reservation

11/01/2024

Disclosure

05/05/2025

Moderation

accepted

CPE

ready

EPSS

0.00089

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!