Cyber Posture

CVE-2024-53932

Critical

Published: 06 January 2025

Published
06 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0012 31.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-53932 is a critical-severity Incorrect Permission Assignment for Critical Resource (CWE-732) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations to prevent unauthorized applications from accessing the DialerActivity via crafted intents, directly addressing the incorrect permission assignment.

AC-6 Least Privilege good match
prevent

Applies least privilege to sensitive components like DialerActivity, requiring explicit permissions and mitigating exploitation without user interaction.

SI-10 Information Input Validation partial match
prevent

Validates crafted intents received by DialerActivity to ensure only authorized inputs trigger phone calls, reducing risk from insecure direct object references.

NVD Description

The com.remi.colorphone.callscreen.calltheme.callerscreen (aka Color Phone: Call Screen Theme) application through 21.1.9 for Android enables any application (with no permissions) to place phone calls without user interaction by sending a crafted intent via the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component.

Deeper analysisAI

CVE-2024-53932 is a critical vulnerability in the Color Phone: Call Screen Theme Android application (package name com.remi.colorphone.callscreen.calltheme.callerscreen) through version 21.1.9. The issue stems from the com.remi.colorphone.callscreen.calltheme.callerscreen.dialer.DialerActivity component, which permits any other application—without needing special permissions—to silently initiate phone calls by sending a crafted intent. This flaw is linked to CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-922 (Insecure Direct Object Reference).

The vulnerability carries a CVSS v3.1 base score of 9.1 (Critical), with attack vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating it is exploitable over the network with low complexity, no privileges, and no user interaction required. Any malicious application installed on the device can trigger it, allowing attackers to place arbitrary phone calls without the user's knowledge or consent, potentially enabling fraud, harassment, or premium-rate call scams that incur financial costs.

Advisories and further details, including potential mitigation guidance, are available at https://github.com/actuator/com.remi.colorphone.callscreen.calltheme.callerscreen/blob/main/CVE-2024-53932.

Details

CWE(s)
CWE-732CWE-922

CVEs Like This One

CVE-2024-53931Shared CWE-732, CWE-922
CVE-2024-38337Shared CWE-732
CVE-2025-0064Shared CWE-732
CVE-2025-28244Shared CWE-922
CVE-2026-24834Shared CWE-732
CVE-2025-1067Shared CWE-732
CVE-2026-26102Shared CWE-732
CVE-2025-0066Shared CWE-732
CVE-2025-33088Shared CWE-732
CVE-2025-22984Shared CWE-922

References