CVE-2024-53011
Published: 03 March 2025
Summary
CVE-2024-53011 is a high-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Qualcomm Snapdragon 8\+ Gen 1 Mobile Platform Firmware. Its CVSS base score is 7.9 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 20.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-25 (Reference Monitor) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2024-53011 is an information disclosure vulnerability stemming from improper permission and access controls in the Video Analytics engine. It affects Qualcomm components, as detailed in the vendor's security bulletin. The issue is rated with a CVSS v3.1 base score of 7.9 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N) and is associated with CWE-264 (Permissions, Privileges, and Access Controls) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). The vulnerability was published on March 3, 2025.
Exploitation requires local access (AV:L) with low attack complexity (AC:L) and high privileges (PR:H), needing no user interaction (UI:N). Successful attacks have a changed scope (S:C), enabling high confidentiality (C:H) and integrity (I:H) impacts with no availability disruption (A:N). A privileged local attacker could leverage the flawed controls to disclose sensitive information from the Video Analytics engine and potentially modify data.
For mitigation details, refer to the Qualcomm March 2025 Security Bulletin at https://docs.qualcomm.com/product/publicresources/securitybulletin/march-2025-bulletin.html, which provides guidance on patches and workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5792
Vulnerability details
Information disclosure may occur due to improper permission and access controls to Video Analytics engine.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Local improper access controls enable privilege escalation via sensitive data disclosure and modification with scope change.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
AC-3 requires enforcement of approved authorizations for access to system resources like the Video Analytics engine, directly addressing the improper permission and access controls causing information disclosure.
AC-6 enforces least privilege, mitigating the vulnerability by restricting even high-privilege (PR:H) local attackers from accessing sensitive Video Analytics engine data beyond necessary tasks.
AC-25 implements a tamper-resistant reference monitor for complete mediation of accesses, preventing bypass of flawed permission controls in the Video Analytics engine.