CVE-2023-52955

Medium

Published: 08 January 2025

Published

08 January 2025

Modified

13 January 2025

KEV Added

—

Patch

—

CVSS Score 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

EPSS Score 0.0010 26.4th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-52955 is a medium-severity Improper Authentication (CWE-287) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.5 (Medium).

Operationally, ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-9 Service Identification and Authentication good match

prevent

Requires identification and authentication of system services such as the ANS module, directly addressing the improper authentication vulnerability that enables denial-of-service exploitation.

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations for access to system resources in the ANS service module, preventing unauthorized actions that cause abnormal feature performance.

SI-2 Flaw Remediation good match

preventrecover

Mandates identification, reporting, and remediation of flaws like CVE-2023-52955's improper authentication, preventing exploitation and enabling recovery from availability disruptions.

NVD Description

Vulnerability of improper authentication in the ANS system service module Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

Deeper analysisAI

CVE-2023-52955 is a vulnerability involving improper authentication in the ANS system service module. This flaw affects Huawei consumer products, as indicated by the vendor's security bulletin. Assigned a CVSS v3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H), it maps to CWE-264 (Permissions, Privileges, and Access Control) and CWE-287 (Improper Authentication). Successful exploitation may cause features to perform abnormally, primarily impacting availability.

A remote attacker with network access can exploit this vulnerability with low complexity and no required privileges, though user interaction is necessary, such as tricking a user into performing a specific action. The attack has an unchanged scope and results in high availability disruption without affecting confidentiality or integrity, effectively enabling a denial-of-service condition that disrupts normal feature operation.

Huawei has published a security bulletin addressing this issue at https://consumer.huawei.com/en/support/bulletin/2025/1/, which provides further details for affected users and practitioners.

Details

CWE(s): CWE-264 CWE-287

Affected Products

huawei

emui

12.0.0, 13.0.0

huawei

harmonyos

2.0.0, 2.1.0, 3.0.0, 3.1.0

CVEs Like This One

CVE-2024-56440Same product: Huawei Emui

CVE-2026-34853Same product: Huawei Emui

CVE-2026-28542Same product: Huawei Emui

CVE-2023-52953Same product: Huawei Emui

CVE-2024-56438Same product: Huawei Emui

CVE-2024-56442Same product: Huawei Emui

CVE-2024-56434Same product: Huawei Emui

CVE-2024-57958Same product: Huawei Emui

CVE-2024-56447Same product: Huawei Emui

CVE-2026-34859Same product: Huawei Emui

References

https://consumer.huawei.com/en/support/bulletin/2025/1/
Vendor Advisory · psirt@huawei.com