Cyber Resilience

CVE-2024-57960

High

Published: 06 February 2025

Published
06 February 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
EPSS Score 0.0003 10.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57960 is a high-severity Improper Input Validation (CWE-20) vulnerability in Huawei Harmonyos. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-57960 is an input verification vulnerability, classified under CWE-20 (Improper Input Validation), in the ExternalStorageProvider module of Huawei products. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L), indicating a high-severity issue with potential to affect service confidentiality upon successful exploitation.

The vulnerability can be exploited by a local attacker requiring no privileges (PR:N) but necessitating user interaction (UI:R), with low attack complexity (AC:L). Exploitation changes scope (S:C) and primarily enables high confidentiality impact (C:H), alongside low integrity (I:L) and availability (A:L) effects, allowing unauthorized access to sensitive service data.

Huawei has issued a consumer support bulletin addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2025/2/, which provides details on mitigation and patching recommendations.

EU & UK References

Vulnerability details

Input verification vulnerability in the ExternalStorageProvider module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Local input validation flaw (CWE-20) in storage provider directly enables unauthorized sensitive data access (T1005) and scope-changing privilege escalation (T1068) from unprivileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-28553Same product: Huawei Emui
CVE-2026-28542Same product: Huawei Emui
CVE-2024-58044Same product: Huawei Emui
CVE-2026-34859Same product: Huawei Emui
CVE-2024-56449Same product: Huawei Emui
CVE-2024-58043Same product: Huawei Emui
CVE-2024-56447Same product: Huawei Emui
CVE-2024-57961Same product: Huawei Emui
CVE-2026-28548Same product: Huawei Emui
CVE-2023-52953Same product: Huawei Emui

Affected Assets

huawei
emui
13.0.0, 14.0.0
huawei
harmonyos
3.0.0, 3.1.0, 4.0.0, 4.2.0, 4.3.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of information inputs to the ExternalStorageProvider module, addressing the core improper input validation vulnerability (CWE-20).

prevent

Mandates timely identification, reporting, and patching of the flaw in Huawei products as per the issued consumer support bulletin.

prevent

Enforces approved access authorizations to mitigate unauthorized confidentiality access resulting from input validation exploitation.

References