CVE-2026-20452

HIGH

MediaTek Chipset - Heap-based Buffer Overflow

Title source: rule

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-20452. PoCs published by hacefresko, Hunt-Benito.

AI-analyzed exploit summary This exploit targets a heap overflow vulnerability in a UPnP service (WFAWLANConfig) on port 49152, leveraging a crafted SOAP request to achieve remote code execution (RCE) via shellcode injection. The payload modifies the root password in `/data/zcfg_config.json` and attempts SSH login with the new credentials.

Description

In wlan AP driver, there is a possible memory corruption due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00480138; Issue ID: MSV-6295.

Exploits (2)

github WORKING POC 7 stars

by hacefresko · pythonpoc

https://github.com/hacefresko/CVEs/tree/main/CVE-2026-20452

View Code ZIP pw:eip

This exploit targets a heap overflow vulnerability in a UPnP service (WFAWLANConfig) on port 49152, leveraging a crafted SOAP request to achieve remote code execution (RCE) via shellcode injection. The payload modifies the root password in `/data/zcfg_config.json` and attempts SSH login with the new credentials.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Complex

Reliability

Racy

Target: Unknown UPnP service (WFAWLANConfig) on port 49152

No auth needed

Prerequisites: Network access to target's UPnP service on port 49152 · Vulnerable firmware/software version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 01, 2026 Full analysis →

github WORKING POC

by Hunt-Benito · pythonpoc

https://github.com/Hunt-Benito/mediatek-wlan-heap-overflow-cve-2026-20452-filogic-router-rce

View Code ZIP pw:eip

This repository contains a functional proof-of-concept exploit for CVE-2026-20452, a heap-based buffer overflow in MediaTek's WLAN Access Point driver. The exploit crafts malformed 802.11 data frames with oversized Information Elements to trigger the vulnerability.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: MediaTek WLAN AP driver (affecting MT7615, MT7915, MT7916, MT7981, MT7986, MT7990, MT7992, MT7993, MT6890)

No auth needed

Prerequisites: Monitor-mode Wi-Fi interface · Scapy library · Python 3.7+

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Jun 06, 2026 Full analysis →

References (1)

Core 1

Core References

https://corp.mediatek.com/product-security-bulletin/June-2026

Scores

CVSS v3 8.0

EPSS 0.0003

EPSS Percentile 7.5%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-122

Status published

Products (18)

mediatek/mt6890_firmware

mediatek/mt7615_firmware

mediatek/mt7915_firmware

mediatek/mt7916_firmware

mediatek/mt7981_firmware

mediatek/mt7986_firmware

mediatek/mt7990_firmware

mediatek/mt7992_firmware

mediatek/mt7993_firmware

MediaTek, Inc./MediaTek chipset MT6890

... and 8 more

Published Jun 01, 2026

Tracked Since Jun 01, 2026