CVE-2020-0069

HIGH KEV

Mediatek Command Queue driver - Privilege Escalation

Title source: llm

Exploitation Summary

CVE-2020-0069 is actively exploited and listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, added November 3, 2021. EIP tracks 4 public exploits from researchers including R0rt1z2, quarkslab, TheRealJunior.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2020-0069, targeting MediaTek devices to achieve root access via the `mtk-su` exploit. It includes scripts for both system-mode (SuperSU) and bootless-mode (Magisk) rooting, as well as unrooting capabilities.

Description

In the ioctl handlers of the Mediatek Command Queue driver, there is a possible out of bounds write due to insufficient input sanitization and missing SELinux restrictions. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-147882143References: M-ALPS04356754

Exploits (4)

nomisec WORKING POC 179 stars

by R0rt1z2 · local

https://github.com/R0rt1z2/AutomatedRoot

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2020-0069, targeting MediaTek devices to achieve root access via the `mtk-su` exploit. It includes scripts for both system-mode (SuperSU) and bootless-mode (Magisk) rooting, as well as unrooting capabilities.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: MediaTek ARMv8 devices

No auth needed

Prerequisites: ADB access · mtk-su binaries · Python 3.9+ · MediaTek device with vulnerable firmware

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1548 - Abuse Elevation Control Mechanism

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 108 stars

by quarkslab · local

https://github.com/quarkslab/CVE-2020-0069_poc

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-0069, targeting a Mediatek SoC (MT6762M) on a Xiaomi Redmi 6a. The exploit demonstrates arbitrary kernel memory read/write capabilities via the CMDQ driver, allowing modification of kernel data (e.g., changing the OS name string).

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Mediatek CMDQ driver (Linux kernel 4.9.77+ on MT6762M)

No auth needed

Prerequisites: Physical or ADB access to the target device · Mediatek SoC with vulnerable CMDQ driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 16 stars

by TheRealJunior · poc

https://github.com/TheRealJunior/mtk-su-reverse-cve-2020-0069

View Code ZIP pw:eip

This repository contains a proof-of-concept exploit for CVE-2020-0069, targeting a vulnerability in MediaTek's Command Queue (CMDQ) driver. The exploit includes kernel module source code and scripts to analyze and interact with the vulnerable driver.

Classification

Working Poc 80%

Attack Type

Lpe

Complexity

Complex

Reliability

Theoretical

Target: MediaTek CMDQ driver (Android kernel 3.18)

No auth needed

Prerequisites: Access to a vulnerable MediaTek device with the affected CMDQ driver

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 12 stars

by 0xf15h · local

https://github.com/0xf15h/mtk_su

View Code ZIP pw:eip

This repository contains a functional local privilege escalation (LPE) exploit for CVE-2020-0069, targeting MediaTek MT6739 SoCs running Android 8.1.0. The exploit leverages kernel memory manipulation to achieve root access, with components for disassembly, symbol resolution, and SELinux bypass.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: MediaTek MT6739 SoC with Android 8.1.0

No auth needed

Prerequisites: Physical or local access to a vulnerable MediaTek device · Android NDK for compilation

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation T1003 - OS Credential Dumping

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Vendor Advisory x_refsource_misc

https://source.android.com/security/bulletin/2020-03-01

Vendor Advisory x_refsource_confirm

http://www.huawei.com/en/psirt/security-advisories/huawei-sa-20200527-01-mtk-en

Third Party Advisory, US Government Resource

https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2020-0069

Scores

CVSS v3 7.8

EPSS 0.0077

EPSS Percentile 74.0%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation active

Automatable no

Technical Impact total

Details

CISA KEV 2021-11-03

VulnCheck KEV 2021-10-28

InTheWild.io 2021-07-23

ENISA EUVD EUVD-2020-1576

CWE

CWE-787

Status published

Products (29)

google/android

huawei/berkeley-l09_firmware < 10.0.0.177\(c10e3r1p4\)

huawei/columbia-al10b_firmware < 10.0.0.178\(c00e178r1p4\)

huawei/columbia-l29d_firmware < 10.0.0.177\(c10e4r1p4\)

huawei/columbia-tl00b_firmware < 10.0.0.178\(c01e178r1p4\)

huawei/columbia-tl00d_firmware < 10.0.0.178\(c01e178r1p4\)

huawei/cornell-al00a_firmware < 9.1.0.340\(c00e333r1p1t8\)

huawei/cornell-tl10b_firmware < 9.1.0.340\(c01e333r1p1t8\)

huawei/dura-al00a_firmware < 1.0.0.190\(c00\)

huawei/honor_20_pro_firmware < 10.0.0.194\(c636e3r3p1\)

... and 19 more

Published Mar 10, 2020

KEV Added Nov 03, 2021

Tracked Since Feb 18, 2026