CVE-2024-12602

Medium

Published: 06 February 2025

Published

06 February 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 6.2 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0007 20.3th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Description

Identity verification vulnerability in the ParamWatcher module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Security Summary

CVE-2024-12602 is an identity verification vulnerability in the ParamWatcher module. This flaw affects service confidentiality, as indicated by its CVSS v3.1 base score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). It is associated with CWE-300 (Channel Accessible by Non-Endpoint) and NVD-CWE-noinfo. The vulnerability was published on 2025-02-06T13:15:38.907.

A local attacker can exploit this vulnerability with low attack complexity, requiring no privileges or user interaction. Successful exploitation allows the attacker to achieve high-impact confidentiality violations, potentially accessing sensitive service data without affecting integrity or availability.

Huawei has published a security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/2/ detailing the issue, which security practitioners should consult for mitigation guidance and available patches.

Details

CWE(s): CWE-300NVD-CWE-noinfo

Affected Products

huawei

harmonyos

5.0.0

References

https://consumer.huawei.com/en/support/bulletin/2025/2/
Vendor Advisory · psirt@huawei.com