CVE-2025-24301
Published: 04 March 2025
Description
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Security Summary
CVE-2025-24301 is a use-after-free vulnerability (CWE-416) affecting OpenHarmony versions v5.0.2 and prior. It enables a local attacker to achieve arbitrary code execution within pre-installed apps. The issue is confined to restricted scenarios, as indicated by its low CVSS v3.1 base score of 3.8 (AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N), reflecting local access vector, low attack complexity, low privileges required, no user interaction, changed scope, and limited confidentiality impact with no integrity or availability effects.
A local attacker with low privileges can exploit this vulnerability to execute arbitrary code in the context of pre-installed applications. Exploitation requires physical or logical access to the device running the affected OpenHarmony version, but the changed scope (S:C) suggests potential propagation to higher privilege contexts despite the low impact profile.
Mitigation details are available in the OpenHarmony security advisory at https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-03.md, published on 2025-03-04.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The use-after-free vulnerability enables local low-privileged arbitrary code execution in pre-installed apps with changed scope, directly mapping to exploitation for privilege escalation.