CVE-2025-22835
Published: 04 March 2025
Summary
CVE-2025-22835 is a low-severity Out-of-bounds Write (CWE-787) vulnerability in Openatom Openharmony. Its CVSS base score is 3.8 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-16 (Memory Protection) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-22835 is an out-of-bounds write vulnerability (CWE-787) in OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed applications.
A local attacker with low privileges can exploit this vulnerability with low attack complexity and no user interaction required (CVSS:3.1/AV:L/AC:L/PR:L/UI:N). Successful exploitation changes scope (S:C), resulting in low confidentiality impact (C:L) but no integrity or availability impact (I:N/A:N), for an overall base score of 3.8. Exploitation is restricted to specific scenarios.
Mitigation details are provided in the OpenHarmony security advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7614
Vulnerability details
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through out-of-bounds write. This vulnerability can be exploited only in restricted scenarios.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The OOB write vulnerability directly enables local low-privileged attackers to achieve arbitrary code execution in pre-installed applications (with scope change), mapping to exploitation for privilege escalation as it provides access beyond the attacker's initial context.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates CVE-2025-22835 by requiring identification, testing, and installation of patches for the out-of-bounds write vulnerability in OpenHarmony.
Implements memory protection mechanisms that prevent out-of-bounds writes from enabling arbitrary code execution in pre-installed apps.
Validates inputs to the vulnerable pre-installed apps, reducing the risk of exploitation via malformed data causing the out-of-bounds write.