Cyber Posture

CVE-2026-28553

Medium

Published: 13 April 2026

Published
13 April 2026
Modified
14 April 2026
KEV Added
Patch
CVSS Score 6.9 CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L
EPSS Score 0.0001 0.2th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-28553 is a medium-severity an unspecified weakness vulnerability in Huawei Harmonyos. Its CVSS base score is 6.9 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for access to system resources like the theme setting module, directly addressing the improper permission control vulnerability.

AC-6 Least Privilege good match
prevent

Employs least privilege to restrict access to the theme setting module, preventing local attackers from compromising service confidentiality.

SI-2 Flaw Remediation good match
prevent

Identifies and remediates flaws like CVE-2026-28553 through timely application of vendor patches from the Huawei support bulletin.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
attack.mitre.org →
Why these techniques?

Improper permission control (CWE-275) in a local theme module with scope change and high confidentiality impact directly enables exploitation for privilege escalation (T1068) and unauthorized collection of data from the local system (T1005).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Vulnerability of improper permission control in the theme setting module. Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Deeper analysisAI

CVE-2026-28553 is a vulnerability involving improper permission control in the theme setting module, associated with CWE-275. It affects Huawei consumer products, as indicated by the vendor's support bulletin. Published on 2026-04-13, the issue carries a CVSS v3.1 base score of 6.9 (AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:L/A:L), highlighting a medium-severity risk primarily to confidentiality.

Exploitation requires local access, high attack complexity, no privileges, and user interaction. A local attacker could leverage this to achieve high confidentiality impact, along with low integrity and availability impacts, due to the changed scope. Successful exploitation may compromise service confidentiality.

Huawei has issued a support bulletin at https://consumer.huawei.com/en/support/bulletin/2026/4/, which provides details on the vulnerability and likely includes mitigation guidance or patches for affected products.

Details

CWE(s)
CWE-275

Affected Products

huawei
harmonyos
4.0.0, 4.2.0, 4.3.0, 4.3.1
huawei
emui
14.0.0, 14.2.0, 15.0.0

CVEs Like This One

CVE-2026-28542Same product: Huawei Emui
CVE-2024-57960Same product: Huawei Emui
CVE-2024-58043Same product: Huawei Emui
CVE-2026-34859Same product: Huawei Emui
CVE-2024-56449Same product: Huawei Emui
CVE-2024-58044Same product: Huawei Emui
CVE-2024-57961Same product: Huawei Emui
CVE-2024-56447Same product: Huawei Emui
CVE-2026-28548Same product: Huawei Emui
CVE-2024-56448Same product: Huawei Emui

References