CVE-2024-57954

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

26 September 2025

KEV Added

—

Patch

—

CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0004 12.1th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57954 is a medium-severity Improper Authorization (CWE-285) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.2 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly countering the improper permission verification in the media library module that allows unauthorized confidentiality breaches.

AC-24 Access Control Decisions good match

prevent

AC-24 requires the system to make and enforce access control decisions for specific resources, addressing the flawed permission checks exploited by local unprivileged attackers.

AC-6 Least Privilege partial match

prevent

AC-6 enforces least privilege, limiting potential damage from improper authorization by restricting unprivileged local access to confidential media library data.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Local unauthorized read access to confidential media library data directly enables collection of sensitive files/information from the local system (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Permission verification vulnerability in the media library module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Deeper analysisAI

CVE-2024-57954 is a permission verification vulnerability in the media library module, classified under CWE-285 (Improper Authorization). Published on 2025-02-06, it carries a CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity with high impact on confidentiality but no impact on integrity or availability.

A local attacker requires no privileges, low attack complexity, and no user interaction to exploit the vulnerability. Successful exploitation allows access to confidential service data, potentially compromising sensitive information within the affected media library module.

Mitigation details are provided in the Huawei support bulletin at https://consumer.huawei.com/en/support/bulletin/2025/2/. Security practitioners should consult this advisory for patching instructions and workarounds applicable to affected Huawei products.

Details

CWE(s): CWE-285 NVD-CWE-noinfo

Affected Products

huawei

harmonyos

5.0.0

CVEs Like This One

CVE-2026-24915Same product: Huawei Harmonyos

CVE-2024-56443Same product: Huawei Harmonyos

CVE-2024-56435Same product: Huawei Harmonyos

CVE-2026-24921Same product: Huawei Harmonyos

CVE-2024-56444Same product: Huawei Harmonyos

CVE-2024-56436Same product: Huawei Harmonyos

CVE-2024-56437Same product: Huawei Harmonyos

CVE-2024-57962Same product: Huawei Harmonyos

CVE-2025-68955Same product: Huawei Harmonyos

CVE-2025-68957Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2025/2/
Vendor Advisory · psirt@huawei.com