Cyber Resilience

CVE-2024-53932

Critical

Published: 06 January 2025

Published
06 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0017 37.9th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53932 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 37.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2024-53932 is a critical vulnerability in the Color Phone: Call Screen Theme Android application (package name com.remi.colorphone.callscreen.calltheme.callerscreen) through version 21.1.9. The issue stems from the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component, which permits any other application—without needing special permissions—to silently initiate phone calls by sending a crafted intent. This flaw is linked to CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-922 (Insecure Direct Object Reference).

The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), with attack vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. Any malicious application installed on the device can trigger it, allowing attackers to place arbitrary phone calls without the user's knowledge or consent, potentially enabling fraud, harassment, or premium-rate call scams that incur financial costs.

Advisories and further details, including potential mitigation guidance, are available at https://github.com/actuator/com.remi.colorphone.callscreen.calltheme.callerscreen/blob/main/CVE-2024-53932.

EU & UK References

Vulnerability details

The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component.

CWE(s)

Related Threats

CVEs Like This One

CVE-2024-53931Shared CWE-732, CWE-922
CVE-2025-27688Shared CWE-732
CVE-2026-22676Shared CWE-732
CVE-2025-0066Shared CWE-732
CVE-2025-12539Shared CWE-922
CVE-2026-24834Shared CWE-732
CVE-2024-12315Shared CWE-922
CVE-2024-55411Shared CWE-732
CVE-2025-33088Shared CWE-732
CVE-2026-35341Shared CWE-732

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations to prevent unauthorized applications from accessing the DialerActivity via crafted intents, directly addressing the incorrect permission assignment.

prevent

Applies least privilege to sensitive components like DialerActivity, requiring explicit permissions and mitigating exploitation without user interaction.

prevent

Validates crafted intents received by DialerActivity to ensure only authorized inputs trigger phone calls, reducing risk from insecure direct object references.

References