Login Sign Up

CVE-2021-37128

9.8 CRITICAL
Path Traversal

📋 TL;DR

CVE-2021-37128 is a path traversal vulnerability in HwPCAssistant that allows attackers to write arbitrary files to the filesystem. This affects Huawei devices running HarmonyOS with the vulnerable component. Successful exploitation could lead to system compromise.

💻 Affected Systems

Products:
  • Huawei HarmonyOS devices with HwPCAssistant component
Versions: HarmonyOS 2.0 versions before 2.0.0.210
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Huawei smartphones and tablets running vulnerable HarmonyOS versions with the HwPCAssistant component enabled.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system takeover through arbitrary file write leading to remote code execution, data destruction, or persistent backdoor installation.

🟠

Likely Case

Local privilege escalation or unauthorized file modification affecting system integrity and confidentiality.

🟢

If Mitigated

Limited impact with proper file permissions and access controls preventing unauthorized writes to critical system locations.

🌐 Internet-Facing: LOW (requires local access or specific conditions for remote exploitation)
🏢 Internal Only: HIGH (local attackers can exploit this vulnerability to gain elevated privileges)

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access to the device. The vulnerability is in file path validation allowing directory traversal sequences.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 2.0.0.210 and later

Vendor Advisory: https://device.harmonyos.com/en/docs/security/update/security-bulletins-202110-0000001162998526

Restart Required: Yes

Instructions:

1. Check current HarmonyOS version in Settings > About phone. 2. If version is earlier than 2.0.0.210, go to Settings > System & updates > Software update. 3. Download and install the latest update. 4. Restart device after installation completes.

🔧 Temporary Workarounds

Disable HwPCAssistant component

all

Temporarily disable the vulnerable component if patching is not immediately possible

Restrict local user access

all

Implement strict access controls to limit who can interact with the device locally

🧯 If You Can't Patch

  • Implement strict file system permissions to limit write access to critical directories
  • Monitor for suspicious file write activities and implement application whitelisting

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone. If version is earlier than 2.0.0.210, the device is vulnerable.

Check Version:

Settings > About phone > HarmonyOS version

Verify Fix Applied:

After updating, verify the HarmonyOS version is 2.0.0.210 or later in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file write operations in system logs
  • Access attempts to HwPCAssistant with path traversal patterns

Network Indicators:

  • Local network connections to device management ports

SIEM Query:

source="harmonyos" AND (event="file_write" OR process="HwPCAssistant") AND path="*../*"

📊 Metadata

CVE ID: CVE-2021-37128
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: January 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-37128, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)