CVE-2025-23409
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-23409 is a use-after-free (CWE-416) vulnerability affecting OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed apps. Published on 2025-03-04, the issue carries a CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting low severity with changed scope but limited confidentiality impact.
A local attacker with low privileges (PR:L) can exploit this vulnerability under restricted scenarios, requiring low attack complexity and no user interaction. Successful exploitation leads to arbitrary code execution confined to pre-installed apps, potentially allowing code injection or manipulation within those components, though broader system compromise is not indicated by the CVSS vector.
The official advisory is detailed in the OpenHarmony security disclosure at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md, which security practitioners should consult for patch availability and mitigation guidance specific to affected versions.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Use-after-free vulnerability enables local low-privileged attacker to achieve arbitrary code execution in pre-installed apps, directly facilitating exploitation for privilege escalation (T1068); limited CVSS impact and app confinement introduce uncertainty on full system escalation.