CVE-2025-23240
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-23240 is an out-of-bounds write vulnerability (CWE-787) affecting OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed applications. The issue was publicly disclosed on 2025-03-04 with a CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), indicating low severity primarily due to its local attack vector and limited impact scope.
A local attacker with low privileges (PR:L) can exploit this vulnerability with low complexity and no user interaction required. Successful exploitation leads to arbitrary code execution confined to pre-installed apps, but only within restricted scenarios as noted in the description. The changed scope (S:C) allows potential impact beyond the vulnerable component, though confidentiality impact is low (C:L) with no integrity or availability effects.
For mitigation details, refer to the official OpenHarmony security disclosure advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Out-of-bounds write enabling local low-privileged arbitrary code execution directly facilitates exploitation for privilege escalation.