Cyber Resilience

CVE-2024-53011

High

Published: 03 March 2025

Published
03 March 2025
Modified
11 August 2025
KEV Added
Patch
CVSS Score v3.1 7.9 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N
EPSS Score 0.0007 20.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53011 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Qualcomm Snapdragon 8\+ Gen 1 Mobile Platform Firmware. Its CVSS base score is 7.9 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-53011 is an information disclosure vulnerability stemming from improper permission and access controls in the Video Analytics engine. It affects Qualcomm components, as detailed in the vendor's security bulletin. The issue is rated with a CVSS v3.1 base score of 7.9 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-264 (Permissions, Privileges, and Access Controls) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability was published on March 3, 2025.

Exploitation requires local access (AV:L) with low attack complexity (AC:L) and high privileges (PR:H), needing no user interaction (UI:N). Successful attacks have a changed scope (S:C), enabling high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N). A privileged local attacker could leverage the flawed controls to disclose sensitive information from the Video Analytics engine and potentially modify data.

For mitigation details, refer to the Qualcomm March 2025 Security Bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html, which provides guidance on patches and workarounds.

EU & UK References

Vulnerability details

Information disclosure may occur due to improper permission and access controls to Video Analytics engine.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local improper access controls enable privilege escalation via sensitive data disclosure and modification with scope change.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-47346Same product: Qualcomm Fastconnect 6700
CVE-2024-49833Same product: Qualcomm Fastconnect 6700
CVE-2024-33055Same product: Qualcomm Fastconnect 6900
CVE-2024-49843Same product: Qualcomm Fastconnect 7800
CVE-2025-47348Same product: Qualcomm Fastconnect 6700
CVE-2024-53024Same product: Qualcomm Fastconnect 6700
CVE-2024-45582Same product: Qualcomm Fastconnect 6900
CVE-2024-33041Same product: Qualcomm Fastconnect 6900
CVE-2024-45580Same product: Qualcomm Fastconnect 6900
CVE-2024-45553Same product: Qualcomm Fastconnect 6700

Affected Assets

qualcomm
snapdragon 8\+ gen 1 mobile platform firmware
all versions
qualcomm
snapdragon 8\+ gen 2 mobile platform firmware
all versions
qualcomm
snapdragon ar1 gen 1 platform \"luna1\" firmware
all versions
qualcomm
fastconnect 6700 firmware
all versions
qualcomm
fastconnect 6900 firmware
all versions
qualcomm
fastconnect 7800 firmware
all versions
qualcomm
flight rb5 5g platform firmware
all versions
qualcomm
qca6391 firmware
all versions
qualcomm
qca6564 firmware
all versions
qualcomm
qca6564au firmware
all versions
+73 more product configuration(s) — see NVD for full list

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 requires enforcement of approved authorizations for access to system resources like the Video Analytics engine, directly addressing the improper permission and access controls causing information disclosure.

prevent

AC-6 enforces least privilege, mitigating the vulnerability by restricting even high-privilege (PR:H) local attackers from accessing sensitive Video Analytics engine data beyond necessary tasks.

prevent

AC-25 implements a tamper-resistant reference monitor for complete mediation of accesses, preventing bypass of flawed permission controls in the Video Analytics engine.

References