Cyber Resilience

CVE-2024-12602

Medium

Published: 06 February 2025

Published
06 February 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0007 20.7th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-12602 is a medium-severity Channel Accessible by Non-Endpoint (CWE-300) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-9 (Service Identification and Authentication).

Deeper analysis

CVE-2024-12602 is an identity verification vulnerability in the ParamWatcher module. This flaw affects service confidentiality, as indicated by its CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It is associated with CWE-300 (Channel Accessible by Non-Endpoint) and NVD-CWE-noinfo. The vulnerability was published on 2025-02-06T13:15:38.907.

A local attacker can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows the attacker to achieve high-impact confidentiality violations, potentially accessing sensitive service data without affecting integrity or availability.

Huawei has published a security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/2/ detailing the issue, which security practitioners should consult for mitigation guidance and available patches.

EU & UK References

Vulnerability details

Identity verification vulnerability in the ParamWatcher module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Local channel access flaw directly enables reading sensitive data from the local system (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-24915Same product: Huawei Harmonyos
CVE-2024-56435Same product: Huawei Harmonyos
CVE-2024-56443Same product: Huawei Harmonyos
CVE-2024-57954Same product: Huawei Harmonyos
CVE-2026-24921Same product: Huawei Harmonyos
CVE-2024-56444Same product: Huawei Harmonyos
CVE-2026-24925Same product: Huawei Harmonyos
CVE-2025-68958Same product: Huawei Harmonyos
CVE-2025-68960Same product: Huawei Harmonyos
CVE-2024-57962Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
5.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces approved authorizations for access to the ParamWatcher module, preventing local unauthenticated attackers from achieving high confidentiality impact.

prevent

Mandates identification and authentication for services like ParamWatcher, mitigating the identity verification flaw exploitable by local attackers with no privileges.

prevent

Limits access rights to the minimum necessary, reducing the scope of sensitive service data accessible via the identity verification vulnerability.

References