Login Sign Up

CVE-2023-46757

7.5 HIGH

📋 TL;DR

This vulnerability in Huawei's remote PIN module involves incorrect information storage locations that could expose sensitive data. It affects Huawei devices running HarmonyOS, potentially allowing attackers to access confidential information stored in memory. The vulnerability impacts confidentiality but doesn't allow code execution or privilege escalation.

💻 Affected Systems

Products:
  • Huawei devices with remote PIN functionality
Versions: Specific HarmonyOS versions as detailed in Huawei security bulletins from November 2023
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with the remote PIN module enabled; exact device models not specified in provided references

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Sensitive PIN-related data could be exposed to unauthorized parties, potentially compromising user authentication security and privacy.

🟠

Likely Case

Limited exposure of non-critical memory contents or metadata, with PIN data potentially being accessible under specific conditions.

🟢

If Mitigated

Minimal impact with proper memory isolation and access controls preventing unauthorized data access.

🌐 Internet-Facing: LOW - This appears to be a local vulnerability requiring access to the device or specific services.
🏢 Internal Only: MEDIUM - Could be exploited by malicious apps or users with local access to affected devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation likely requires local access or malicious application installation; no public exploit details available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Security updates released in November 2023

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/11/

Restart Required: Yes

Instructions:

1. Check for available updates in device settings 2. Install the latest security update 3. Restart device after installation

🔧 Temporary Workarounds

Disable remote PIN functionality

all

Temporarily disable remote PIN features if not required

Restrict app permissions

all

Review and restrict application permissions to minimize attack surface

🧯 If You Can't Patch

  • Isolate affected devices from untrusted networks
  • Implement strict access controls and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check device security patch level in settings; if before November 2023 updates, likely vulnerable

Check Version:

Check device settings > About phone > HarmonyOS version and security patch level

Verify Fix Applied:

Verify security patch level includes November 2023 updates in device settings

📡 Detection & Monitoring

Log Indicators:

  • Unusual memory access patterns
  • Failed authentication attempts
  • Security service crashes

Network Indicators:

  • Unusual local service communications
  • Unexpected inter-process communication

SIEM Query:

Device logs showing security service anomalies or memory access violations

📊 Metadata

CVE ID: CVE-2023-46757
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-200
Published: November 8, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46757, you might also want to check these:

CVE-2025-61481 10.0

MikroTik RouterOS and SwOS expose their WebFig management interface over unencrypted HTTP by default...

Same vulnerability type (CWE-200)
CVE-2025-53624 10.0

The Docusaurus gists plugin versions before 4.0.0 expose GitHub Personal Access Tokens in client-sid...

Same vulnerability type (CWE-200)
CVE-2023-49103 10.0

This vulnerability in ownCloud's graphapi app exposes PHP configuration details (phpinfo) via a thir...

Same vulnerability type (CWE-200)