CVE-2024-49737
Published: 21 January 2025
Summary
CVE-2024-49737 is a high-severity Incorrect Default Permissions (CWE-276) vulnerability in Google Android. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 15.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly remediates the logic error in applyTaskFragmentOperation by applying vendor patches from Android Security Bulletins to prevent privilege escalation.
Enforces approved authorizations to block unauthorized launches of arbitrary activities as system UID in WindowOrganizerController.
Implements a tamper-resistant reference monitor to mediate and correctly enforce access control decisions in the flawed function.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct local privilege escalation via logic flaw in system component, matching Exploitation for Privilege Escalation.
NVD Description
In applyTaskFragmentOperation of WindowOrganizerController.java, there is a possible way to launch arbitrary activities as the system UID due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User…
more
interaction is not needed for exploitation.
Deeper analysisAI
CVE-2024-49737 is a logic error in the applyTaskFragmentOperation function of WindowOrganizerController.java within the Android Open Source Project. This flaw enables an attacker to launch arbitrary activities with system UID privileges, resulting in a local escalation of privilege. No additional execution privileges beyond basic local access are required, and user interaction is unnecessary for exploitation. The vulnerability carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-276 (Incorrect Default Permissions).
A local attacker with low privileges, such as a malicious application or compromised user account on the device, can exploit this issue. By triggering the faulty logic in WindowOrganizerController, the attacker can execute arbitrary activities under the system UID, achieving full control over sensitive system functions and data. This grants high confidentiality, integrity, and availability impacts, potentially allowing persistent device compromise.
The Android Security Bulletin for 2025-01-01 details patches addressing this vulnerability, available at https://source.android.com/security/bulletin/2025-01-01. Security practitioners should ensure devices are updated to the latest monthly releases to mitigate exposure.
Details
- CWE(s)