Cyber Resilience

CVE-2023-52954

Medium

Published: 08 January 2025

Published
08 January 2025
Modified
13 January 2025
KEV Added
Patch
CVSS Score v3.1 4.4 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
EPSS Score 0.0005 15.5th percentile
Risk Priority 9 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52954 is a medium-severity Incorrect Default Permissions (CWE-276) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.4 (Medium).

Operationally, ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2023-52954 is a vulnerability involving improper permission control in the Gallery module. It affects Huawei consumer products and was published on 2025-01-08 with a CVSS v3.1 base score of 4.4 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L). The issue is linked to CWEs-701 (Incorrect Control Flow Scoping) and CWE-276 (Incorrect Default Permissions).

A local attacker can exploit this vulnerability with low attack complexity, requiring user interaction but no special privileges. Successful exploitation may result in low-impact effects on confidentiality and availability, with no impact on integrity.

Huawei's security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/1/ provides details on the vulnerability, including mitigation recommendations for affected devices.

EU & UK References

Vulnerability details

Vulnerability of improper permission control in the Gallery module Impact: Successful exploitation of this vulnerability may affect availability.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.
Confidence: LOW · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-56440Same product: Huawei Emui
CVE-2024-56447Same product: Huawei Emui
CVE-2024-58044Same product: Huawei Emui
CVE-2026-34854Same product: Huawei Emui
CVE-2024-56438Same product: Huawei Emui
CVE-2024-57961Same product: Huawei Emui
CVE-2026-34859Same product: Huawei Emui
CVE-2024-58043Same product: Huawei Emui
CVE-2026-28553Same product: Huawei Emui
CVE-2026-28552Same product: Huawei Emui

Affected Assets

huawei
emui
12.0.0, 13.0.0
huawei
harmonyos
2.0.0, 2.1.0, 3.0.0, 3.1.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations for access to Gallery module resources, directly mitigating improper permission controls and preventing local exploitation.

prevent

Applies least privilege to restrict access in the Gallery module, countering CWE-276 incorrect default permissions exploited by local attackers.

prevent

Enables timely identification, reporting, and correction of the specific Gallery module flaw (CVE-2023-52954), preventing exploitation as recommended in Huawei's security bulletin.

References