Login Sign Up

CVE-2022-48348

9.1 CRITICAL

📋 TL;DR

This vulnerability in Huawei's MediaProvider module allows unauthorized data reading, potentially exposing sensitive media files and metadata. It affects Huawei devices running HarmonyOS and EMUI, compromising confidentiality and integrity of user data.

💻 Affected Systems

Products:
  • Huawei smartphones
  • Huawei tablets
Versions: HarmonyOS versions before 3.0.0.205, EMUI versions before 13.0.0.205
Operating Systems: HarmonyOS, EMUI
Default Config Vulnerable: ⚠️ Yes
Notes: All devices with affected OS versions are vulnerable by default. No special configuration required.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could access private photos, videos, documents, and other sensitive media files stored on affected devices, potentially leading to data theft, blackmail, or privacy violations.

🟠

Likely Case

Malicious apps could bypass permission checks to read media files they shouldn't have access to, exposing personal photos, videos, and documents.

🟢

If Mitigated

With proper app sandboxing and permission controls, only apps with specific vulnerabilities could exploit this, limiting the attack surface.

🌐 Internet-Facing: LOW - This is primarily a local vulnerability requiring app installation or physical access.
🏢 Internal Only: MEDIUM - Malicious apps on the device could exploit this without user interaction in some scenarios.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires a malicious app to be installed on the device. No public exploit code has been released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS 3.0.0.205, EMUI 13.0.0.205

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/3/

Restart Required: Yes

Instructions:

1. Go to Settings > System & updates > Software update. 2. Check for updates. 3. Download and install the latest security update. 4. Restart the device when prompted.

🔧 Temporary Workarounds

Restrict app permissions

all

Review and restrict media access permissions for all installed apps

Settings > Apps > [App Name] > Permissions > Media and files > Deny

Disable unknown sources

all

Prevent installation of apps from untrusted sources

Settings > Security > More settings > Install apps from external sources > Disable

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks
  • Implement strict app installation policies and only install from official app stores

🔍 How to Verify

Check if Vulnerable:

Check OS version in Settings > About phone > HarmonyOS/EMUI version

Check Version:

Settings > About phone > HarmonyOS/EMUI version

Verify Fix Applied:

Verify OS version is 3.0.0.205 or higher for HarmonyOS, or 13.0.0.205 or higher for EMUI

📡 Detection & Monitoring

Log Indicators:

  • Unusual media access patterns
  • Apps accessing media files without proper permissions

Network Indicators:

  • Unusual data exfiltration from device

SIEM Query:

app_permission_violation AND (media_access OR file_read) AND device_os IN ('HarmonyOS', 'EMUI')

📊 Metadata

CVE ID: CVE-2022-48348
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-200
Published: March 27, 2023
Last Updated: February 24, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-48348, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)