Cyber Resilience

CVE-2024-57954

Medium

Published: 06 February 2025

Published
06 February 2025
Modified
26 September 2025
KEV Added
Patch
CVSS Score v3.1 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 12.4th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57954 is a medium-severity Improper Authorization (CWE-285) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 12.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2024-57954 is a permission verification vulnerability in the media library module, classified under CWE-285 (Improper Authorization). Published on 2025-02-06, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high impact on confidentiality but no impact on integrity or availability.

A local attacker requires no privileges, low attack complexity, and no user interaction to exploit the vulnerability. Successful exploitation allows access to confidential service data, potentially compromising sensitive information within the affected media library module.

Mitigation details are provided in the Huawei support bulletin at https://consumer.huawei.com/en/support/bulletin/2025/2/. Security practitioners should consult this advisory for patching instructions and workarounds applicable to affected Huawei products.

EU & UK References

Vulnerability details

Permission verification vulnerability in the media library module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Local unauthorized read access to confidential media library data directly enables collection of sensitive files/information from the local system (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-12602Same product: Huawei Harmonyos
CVE-2026-24915Same product: Huawei Harmonyos
CVE-2024-56435Same product: Huawei Harmonyos
CVE-2024-56443Same product: Huawei Harmonyos
CVE-2026-24921Same product: Huawei Harmonyos
CVE-2024-56444Same product: Huawei Harmonyos
CVE-2026-24925Same product: Huawei Harmonyos
CVE-2025-68960Same product: Huawei Harmonyos
CVE-2024-57955Same product: Huawei Harmonyos
CVE-2024-56451Same product: Huawei Harmonyos

Affected Assets

huawei
harmonyos
5.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly countering the improper permission verification in the media library module that allows unauthorized confidentiality breaches.

prevent

AC-24 requires the system to make and enforce access control decisions for specific resources, addressing the flawed permission checks exploited by local unprivileged attackers.

prevent

AC-6 enforces least privilege, limiting potential damage from improper authorization by restricting unprivileged local access to confidential media library data.

References