CVE-2025-23414
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-23414 is a use-after-free vulnerability (CWE-416) in OpenHarmony versions v5.0.2 and prior. Published on 2025-03-04T04:15:15.377, it enables a local attacker to achieve arbitrary code execution within pre-installed applications. The vulnerability carries a CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting low severity with local access requirements, low attack complexity, low privileges needed, no user interaction, changed scope, and limited confidentiality impact.
A local attacker with low privileges can exploit this vulnerability to execute arbitrary code in pre-installed apps. Exploitation is possible only in restricted scenarios, requiring physical or logical local access to the system. While it grants code execution, impacts are confined to low confidentiality disclosure with no integrity or availability effects.
The OpenHarmony security advisory provides further details on this vulnerability at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The use-after-free vulnerability in pre-installed applications allows a local attacker with low privileges to achieve arbitrary code execution, directly enabling exploitation for privilege escalation (T1068) as the attacker starts with low privileges and gains code execution in system-level apps.