Cyber Posture

CVE-2024-57960

High

Published: 06 February 2025

Published
06 February 2025
Modified
17 March 2025
KEV Added
Patch
CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
EPSS Score 0.0003 10.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-57960 is a high-severity Improper Input Validation (CWE-20) vulnerability in Huawei Harmonyos. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Data from Local System (T1005); ranked at the 10.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Data from Local System (T1005) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation of information inputs to the ExternalStorageProvider module, addressing the core improper input validation vulnerability (CWE-20).

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, reporting, and patching of the flaw in Huawei products as per the issued consumer support bulletin.

AC-3 Access Enforcement partial match
prevent

Enforces approved access authorizations to mitigate unauthorized confidentiality access resulting from input validation exploitation.

MITRE ATT&CK Enterprise TechniquesAI

T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
Why these techniques?

Local input validation flaw (CWE-20) in storage provider directly enables unauthorized sensitive data access (T1005) and scope-changing privilege escalation (T1068) from unprivileged context.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Input verification vulnerability in the ExternalStorageProvider module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Deeper analysisAI

CVE-2024-57960 is an input verification vulnerability, classified under CWE-20 (Improper Input Validation), in the ExternalStorageProvider module of Huawei products. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L), indicating a high-severity issue with potential to affect service confidentiality upon successful exploitation.

The vulnerability can be exploited by a local attacker requiring no privileges (PR:N) but necessitating user interaction (UI:R), with low attack complexity (AC:L). Exploitation changes scope (S:C) and primarily enables high confidentiality impact (C:H), alongside low integrity (I:L) and availability (A:L) effects, allowing unauthorized access to sensitive service data.

Huawei has issued a consumer support bulletin addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2025/2/, which provides details on mitigation and patching recommendations.

Details

CWE(s)
CWE-20NVD-CWE-noinfo

Affected Products

huawei
emui
13.0.0, 14.0.0
huawei
harmonyos
3.0.0, 3.1.0, 4.0.0, 4.2.0, 4.3.0

CVEs Like This One

CVE-2026-28542Same product: Huawei Emui
CVE-2024-58044Same product: Huawei Emui
CVE-2026-28553Same product: Huawei Emui
CVE-2024-56447Same product: Huawei Emui
CVE-2026-34859Same product: Huawei Emui
CVE-2024-57961Same product: Huawei Emui
CVE-2024-58043Same product: Huawei Emui
CVE-2024-56449Same product: Huawei Emui
CVE-2026-28548Same product: Huawei Emui
CVE-2026-34853Same product: Huawei Emui

References