CVE-2024-11624

High

Published: 03 January 2025

Published

03 January 2025

Modified

24 July 2025

KEV Added

—

Patch

—

CVSS Score 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0001 0.4th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-11624 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, ranked at the 0.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-19 (Access Control for Mobile Devices) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for access, addressing the undeclared permission that allows apps to bypass VPN and escalate privileges.

AC-19 Access Control for Mobile Devices good match

prevent

Establishes usage restrictions and access controls specifically for mobile devices like Android Pixel, mitigating permission-based bypasses on such platforms.

AC-6 Least Privilege good match

prevent

Employs least privilege to restrict low-privilege apps from escalating via VPN bypass, limiting the impact of the vulnerability.

NVD Description

there is a possible to add apps to bypass VPN due to Undeclared Permission . This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-11624 is a vulnerability in Android Pixel devices caused by an undeclared permission that allows apps to bypass VPN configurations. This flaw, classified under CWE-276 (Incorrect Default Permissions), enables local escalation of privilege without needing additional execution privileges or user interaction. It received a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on January 3, 2025.

A local attacker with low privileges can exploit this vulnerability due to its low attack complexity and lack of required user interaction. Successful exploitation leads to high-impact confidentiality, integrity, and availability violations, allowing the attacker to escalate privileges on the affected device.

The Android security bulletin for Pixel devices, dated December 1, 2024 (available at https://source.android.com/security/bulletin/pixel/2024-12-01), addresses this vulnerability with patches for mitigation. Security practitioners should ensure affected Pixel devices are updated to the patched firmware versions outlined in the bulletin.

Details

CWE(s): CWE-276

Affected Products

google

android

all versions

CVEs Like This One

CVE-2018-9401Same product: Google Android

CVE-2024-43769Same product: Google Android

CVE-2024-49744Same product: Google Android

CVE-2024-49735Same product: Google Android

CVE-2024-43765Same product: Google Android

CVE-2024-53835Same product: Google Android

CVE-2024-49732Same product: Google Android

CVE-2018-9434Same product: Google Android

CVE-2024-49737Same product: Google Android

CVE-2024-34730Same product: Google Android

References

https://source.android.com/security/bulletin/pixel/2024-12-01
Vendor Advisory · dsap-vuln-management@google.com