CVE-2024-45356
Published: 27 March 2025
Summary
CVE-2024-45356 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Mi (inferred from references). Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 38.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2024-45356 is an unauthorized access vulnerability in the Xiaomi phone framework, stemming from improper validation of inputs or permissions. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), enables attackers to access sensitive methods within the framework. It carries a CVSS v3.1 base score of 7.3 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H), indicating high severity due to significant impacts on confidentiality and availability.
The vulnerability can be exploited by local attackers with no required privileges, though it demands low-complexity techniques and user interaction, such as clicking a malicious link or installing a crafted app. Successful exploitation grants high-level access to confidential data via sensitive methods, with potential for low integrity disruption and high availability impairment, such as denial-of-service effects on framework components.
For mitigation details, refer to the official advisory from Xiaomi at https://trust.mi.com/zh-CN/misrc/bulletins/advisory?cveId=554, which likely outlines patches or workarounds for affected devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8285
Vulnerability details
A unauthorized access vulnerability exists in the Xiaomi phone framework. The vulnerability is caused by improper validation and can be exploited by attackers to Access sensitive methods.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Missing authentication for critical functions in the phone framework enables unauthorized access to sensitive methods without privileges, directly facilitating privilege escalation (T1068), collection of confidential local data (T1005), and denial-of-service on framework components (T1499). Exploitation requires user interaction via malicious links or crafted apps (T1204).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved authorizations for access to sensitive methods, directly addressing the improper validation causing unauthorized access in the Xiaomi framework.
Validates inputs at entry points to prevent exploitation of improper validation flaws leading to unauthorized access to critical functions.
Applies least privilege to limit access to sensitive framework methods, reducing the impact of missing authentication checks.