CVE-2024-12602
Published: 06 February 2025
Summary
CVE-2024-12602 is a medium-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).
Deeper analysis
CVE-2024-12602 is an identity verification vulnerability in the ParamWatcher module. This flaw affects service confidentiality, as indicated by its CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It is associated with CWE-300 (Channel Accessible by Non-Endpoint) and NVD-CWE-noinfo. The vulnerability was published on 2025-02-06T13:15:38.907.
A local attacker can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows the attacker to achieve high-impact confidentiality violations, potentially accessing sensitive service data without affecting integrity or availability.
Huawei has published a security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/2/ detailing the issue, which security practitioners should consult for mitigation guidance and available patches.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-50992
Vulnerability details
Identity verification vulnerability in the ParamWatcher module Impact: Successful exploitation of this vulnerability may affect service confidentiality.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local channel access flaw directly enables reading sensitive data from the local system (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces approved authorizations for access to the ParamWatcher module, preventing local unauthenticated attackers from achieving high confidentiality impact.
Mandates identification and authentication for services like ParamWatcher, mitigating the identity verification flaw exploitable by local attackers with no privileges.
Limits access rights to the minimum necessary, reducing the scope of sensitive service data accessible via the identity verification vulnerability.