CVE-2025-23409
Published: 04 March 2025
Summary
CVE-2025-23409 is a low-severity Use After Free (CWE-416) vulnerability in Openatom Openharmony. Its CVSS base score is 3.8 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 30.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-39 (Process Isolation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring timely identification, reporting, and correction of the use-after-free flaw in OpenHarmony pre-installed apps.
Implements memory protection methods such as address space layout randomization and data execution prevention to block exploitation of the use-after-free vulnerability leading to arbitrary code execution.
Enforces process isolation for pre-installed apps, containing the impact of local arbitrary code execution within restricted scopes and preventing broader system compromise.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Use-after-free vulnerability enables local low-privileged attacker to achieve arbitrary code execution in pre-installed apps, directly facilitating exploitation for privilege escalation (T1068); limited CVSS impact and app confinement introduce uncertainty on full system escalation.
NVD Description
in OpenHarmony v5.0.2 and prior versions allow a local attacker arbitrary code execution in pre-installed apps through use after free. This vulnerability can be exploited only in restricted scenarios.
Deeper analysisAI
CVE-2025-23409 is a use-after-free (CWE-416) vulnerability affecting OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed apps. Published on 2025-03-04, the issue carries a CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting low severity with changed scope but limited confidentiality impact.
A local attacker with low privileges (PR:L) can exploit this vulnerability under restricted scenarios, requiring low attack complexity and no user interaction. Successful exploitation leads to arbitrary code execution confined to pre-installed apps, potentially allowing code injection or manipulation within those components, though broader system compromise is not indicated by the CVSS vector.
The official advisory is detailed in the OpenHarmony security disclosure at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md, which security practitioners should consult for patch availability and mitigation guidance specific to affected versions.
Details
- CWE(s)