CVE-2024-57957

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0010 27.5th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57957 is a medium-severity Violation of Secure Design Principles (CWE-657) vulnerability in Huawei Harmonyos. Its CVSS base score is 6.6 (Medium).

Operationally, ranked at the 27.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-11 (Device Lock) and AU-3 (Content of Audit Records).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AU-9 Protection of Audit Information good match

prevent

Protects audit information and log files from unauthorized access, modification, or deletion, directly mitigating the confidentiality impact of sensitive information improperly controlled in logs.

AU-3 Content of Audit Records good match

prevent

Defines and controls the content of audit records to prevent the insertion of sensitive service information into log files, addressing CWE-532.

AC-11 Device Lock good match

prevent

Locks the device to prevent unauthorized physical access and user interaction with the UI framework module required for exploitation.

MITRE ATT&CK Enterprise TechniquesAI

Insufficient information to map techniques.

Confidence: LOW · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability of improper log information control in the UI framework module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Deeper analysisAI

CVE-2024-57957 is a vulnerability involving improper log information control in the UI framework module of Huawei devices. This flaw, associated with CWE-657 (Violation of Secure Design Principles) and CWE-532 (Insertion of Sensitive Information into Log File), was published on February 6, 2025, and carries a CVSS v3.1 base score of 6.6 (AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires physical access to the device (AV:P), low attack complexity, no privileges (PR:N), and user interaction (UI:R), such as tricking a user into performing a specific action. Successful attacks can result in high-impact confidentiality, integrity, and availability consequences, with the primary effect being disruption to service confidentiality as sensitive log information is improperly controlled.

Huawei has issued a support bulletin detailing the vulnerability at https://consumer.huawei.com/en/support/bulletin/2025/2/, which security practitioners should consult for mitigation guidance and available patches.

Details

CWE(s): CWE-657 CWE-532

Affected Products

huawei

harmonyos

5.0.0

CVEs Like This One

CVE-2024-56436Same product: Huawei Harmonyos

CVE-2024-56437Same product: Huawei Harmonyos

CVE-2024-57962Same product: Huawei Harmonyos

CVE-2025-68955Same product: Huawei Harmonyos

CVE-2025-68957Same product: Huawei Harmonyos

CVE-2025-68960Same product: Huawei Harmonyos

CVE-2026-34856Same product: Huawei Harmonyos

CVE-2024-56439Same product: Huawei Harmonyos

CVE-2025-68958Same product: Huawei Harmonyos

CVE-2026-34865Same product: Huawei Harmonyos

References

https://consumer.huawei.com/en/support/bulletin/2025/2/
Vendor Advisory · psirt@huawei.com