CVE-2023-52954
Published: 08 January 2025
Summary
CVE-2023-52954 is a medium-severity Incorrect Default Permissions (CWE-276) vulnerability in Huawei Harmonyos. Its CVSS base score is 4.4 (Medium).
Operationally, ranked at the 15.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2023-52954 is a vulnerability involving improper permission control in the Gallery module. It affects Huawei consumer products and was published on 2025-01-08 with a CVSS v3.1 base score of 4.4 (AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L). The issue is linked to CWEs-701 (Incorrect Control Flow Scoping) and CWE-276 (Incorrect Default Permissions).
A local attacker can exploit this vulnerability with low attack complexity, requiring user interaction but no special privileges. Successful exploitation may result in low-impact effects on confidentiality and availability, with no impact on integrity.
Huawei's security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/1/ provides details on the vulnerability, including mitigation recommendations for affected devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-59439
Vulnerability details
Vulnerability of improper permission control in the Gallery module Impact: Successful exploitation of this vulnerability may affect availability.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Insufficient information to map techniques.CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to Gallery module resources, directly mitigating improper permission controls and preventing local exploitation.
Applies least privilege to restrict access in the Gallery module, countering CWE-276 incorrect default permissions exploited by local attackers.
Enables timely identification, reporting, and correction of the specific Gallery module flaw (CVE-2023-52954), preventing exploitation as recommended in Huawei's security bulletin.