CVE-2024-56449

Medium

Published: 08 January 2025

Published

08 January 2025

Modified

13 January 2025

KEV Added

—

Patch

—

CVSS Score 6.6 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

EPSS Score 0.0008 23.0th percentile

Risk Priority 13 60% EPSS · 20% KEV · 20% CVSS

Description

Privilege escalation vulnerability in the Account module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Security Summary

CVE-2024-56449 is a privilege escalation vulnerability in the Account module, published on 2025-01-08. It carries a CVSS v3.1 base score of 6.6 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L) and is associated with CWE-840 (business logic errors) and NVD-CWE-noinfo. Successful exploitation may affect service confidentiality.

An attacker with local access and low privileges can exploit this vulnerability with low complexity and no user interaction required. Upon successful exploitation, the attacker can achieve high impact on confidentiality, along with low impacts on integrity and availability, without changing scope.

Huawei has issued a security bulletin at https://consumer.huawei.com/en/support/bulletin/2025/1/ detailing mitigation measures and available patches for affected products.

Details

CWE(s): CWE-840NVD-CWE-noinfo

Affected Products

huawei

emui

12.0.0, 13.0.0, 14.0.0

huawei

harmonyos

2.0.0, 2.1.0, 3.0.0, 3.1.0, 4.0.0

References

https://consumer.huawei.com/en/support/bulletin/2025/1/
Vendor Advisory · psirt@huawei.com