CVE-2024-57960

High

Published: 06 February 2025

Published

06 February 2025

Modified

17 March 2025

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

EPSS Score 0.0003 10.0th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Input verification vulnerability in the ExternalStorageProvider module Impact: Successful exploitation of this vulnerability may affect service confidentiality.

Security Summary

CVE-2024-57960 is an input verification vulnerability, classified under CWE-20 (Improper Input Validation), in the ExternalStorageProvider module of Huawei products. Published on 2025-02-06, it carries a CVSS v3.1 base score of 7.7 (AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L), indicating a high-severity issue with potential to affect service confidentiality upon successful exploitation.

The vulnerability can be exploited by a local attacker requiring no privileges (PR:N) but necessitating user interaction (UI:R), with low attack complexity (AC:L). Exploitation changes scope (S:C) and primarily enables high confidentiality impact (C:H), alongside low integrity (I:L) and availability (A:L) effects, allowing unauthorized access to sensitive service data.

Huawei has issued a consumer support bulletin addressing this vulnerability, available at https://consumer.huawei.com/en/support/bulletin/2025/2/, which provides details on mitigation and patching recommendations.

Details

CWE(s): CWE-20NVD-CWE-noinfo

Affected Products

huawei

emui

13.0.0, 14.0.0

huawei

harmonyos

3.0.0, 3.1.0, 4.0.0, 4.2.0, 4.3.0

References

https://consumer.huawei.com/en/support/bulletin/2025/2/
Vendor Advisory · psirt@huawei.com