CVE-2023-41305 – This vulnerability allows 5G SMS messages to be... (How to Fix)

Q: What is the severity of CVE-2023-41305?

CVE-2023-41305 has a CVSS score of 7.5 (HIGH). This vulnerability allows 5G SMS messages to be sent without encryption in VPN environments, potentially exposing message contents to interception. It affects Huawei devices running HarmonyOS. Attackers could read sensitive SMS content transmitted over VPN connections.

📋 TL;DR

This vulnerability allows 5G SMS messages to be sent without encryption in VPN environments, potentially exposing message contents to interception. It affects Huawei devices running HarmonyOS. Attackers could read sensitive SMS content transmitted over VPN connections.

💻 Affected Systems

Products:

Huawei smartphones and tablets with 5G capability

Versions: HarmonyOS versions prior to security updates released in September 2023

Operating Systems: HarmonyOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects 5G SMS messages sent while connected to VPN networks. Regular SMS and non-VPN 5G SMS are not affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive SMS messages (including authentication codes, financial information, or personal communications) are intercepted and read by attackers on the same VPN network.

🟠

Likely Case

Limited exposure of non-critical SMS content when devices connect to untrusted VPNs, with most enterprise VPNs providing additional security layers.

🟢

If Mitigated

No data exposure when using patched devices or avoiding untrusted VPN networks for SMS transmission.

🌐 Internet-Facing: MEDIUM - Requires VPN access but doesn't need internet-facing exposure of the vulnerable component.

🏢 Internal Only: HIGH - Most dangerous when exploited within internal VPN networks where attackers have network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM - Requires network access to VPN and ability to intercept 5G SMS traffic

Exploitation requires being on the same VPN network as the target device and intercepting 5G SMS packets.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: HarmonyOS security updates from September 2023 onward

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/9/

Restart Required: Yes

Instructions:

1. Check for system updates in device Settings. 2. Install available HarmonyOS security updates. 3. Restart device after update completes.

🔧 Temporary Workarounds

Disable VPN for SMS

all

Avoid sending SMS messages while connected to VPN networks

Manually disconnect from VPN before sending SMS

Use encrypted messaging apps

all

Use end-to-end encrypted messaging applications instead of SMS for sensitive communications

🧯 If You Can't Patch

Restrict VPN access to trusted networks only
Implement network monitoring for SMS traffic interception attempts on VPN segments

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version. If version predates September 2023 security updates, device is vulnerable.

Check Version:

Settings navigation only - no CLI command available

Verify Fix Applied:

Verify HarmonyOS version includes September 2023 or later security patches in Settings > Security > Security update

📡 Detection & Monitoring

Log Indicators:

Unusual SMS transmission patterns over VPN
Failed SMS encryption attempts in system logs

Network Indicators:

Unencrypted SMS packets on VPN interfaces
SMS traffic without TLS/encryption headers

SIEM Query:

source="vpn_logs" AND (protocol="sms" OR port="5g_sms") AND encryption="none"

📊 Metadata

CVE ID: CVE-2023-41305

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-326

Published: September 27, 2023

Last Updated: November 21, 2024

🔗 References

https://consumer.huawei.com/en/support/bulletin/2023/9/ Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202309-0000001638925158 Vendor Advisory
https://consumer.huawei.com/en/support/bulletin/2023/9/ Vendor Advisory
https://device.harmonyos.com/en/docs/security/update/security-bulletins-202309-0000001638925158 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-41305, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Emui by Huawei

Emui by Huawei

Emui by Huawei

Emui by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

Harmonyos by Huawei

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable VPN for SMS

Use encrypted messaging apps

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities