CVE-2025-20091
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-20091 is a use-after-free vulnerability (CWE-416) affecting OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed applications on affected systems. The vulnerability was published on 2025-03-04 and carries a CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), indicating low severity with local access required, low privileges, low complexity, and a changed scope impacting confidentiality.
A local attacker with low privileges can exploit this vulnerability to execute arbitrary code in the context of pre-installed apps, but only in restricted scenarios as noted in the description. The attack requires physical or local access to the device and does not involve user interaction, though the scope change suggests potential for broader impact within the scoped components.
The OpenHarmony security advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md provides further details on disclosure and likely mitigation steps for this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The use-after-free vulnerability directly enables local arbitrary code execution by a low-privileged attacker in pre-installed applications, mapping to exploitation of software vulnerabilities for privilege escalation.