CVE-2024-12602

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 20.4th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12602 is a medium-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).

Operationally, ranked at the 20.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Directly enforces approved authorizations for access to the ParamWatcher module, preventing local unauthenticated attackers from achieving high confidentiality impact.

IA-9 Service Identification and Authentication good match

prevent

Mandates identification and authentication for services like ParamWatcher, mitigating the identity verification flaw exploitable by local attackers with no privileges.

AC-6 Least Privilege partial match

prevent

Limits access rights to the minimum necessary, reducing the scope of sensitive service data accessible via the identity verification vulnerability.

NVD Description

Identity verification vulnerability in the ParamWatcher module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Deeper analysisAI

CVE-2024-12602 is an identity verification vulnerability in the ParamWatcher module. This flaw affects service confidentiality, as indicated by its CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It is associated with CWE-300 (Channel Accessible by Non-Endpoint) and NVD-CWE-noinfo. The vulnerability was published on 2025-02-06T13:15:38.907.

A local attacker can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows the attacker to achieve high-impact confidentiality violations, potentially accessing sensitive service data without affecting integrity or availability.

Huawei has published a security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/2/ detailing the issue, which security practitioners should consult for mitigation guidance and available patches.

Details

CWE(s): CWE-300 NVD-CWE-noinfo

Affected Products

huawei

harmonyos

5.0.0

CVEs Like This One

CVE-2025-68960Same product: Huawei Harmonyos

CVE-2024-56436Same product: Huawei Harmonyos

CVE-2025-68968Same product: Huawei Harmonyos

CVE-2024-56437Same product: Huawei Harmonyos

CVE-2026-24926Same product: Huawei Harmonyos

CVE-2026-24921Same product: Huawei Harmonyos

CVE-2026-28536Same product: Huawei Harmonyos

CVE-2026-34856Same product: Huawei Harmonyos

CVE-2024-56439Same product: Huawei Harmonyos

CVE-2024-56443Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2025/2/
Vendor Advisory · psirt@huawei.com