Login Sign Up

CVE-2023-46773

9.8 CRITICAL

📋 TL;DR

This CVE-2023-46773 is a permission management vulnerability in Huawei's PMS (Package Management Service) module that allows local attackers to escalate privileges on affected devices. The vulnerability affects Huawei smartphones and tablets running HarmonyOS. Successful exploitation could give attackers elevated system permissions.

💻 Affected Systems

Products:
  • Huawei smartphones
  • Huawei tablets
Versions: HarmonyOS versions before specific security patches in December 2023
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with vulnerable HarmonyOS versions; requires local access to exploit.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete device compromise with root/system-level access, allowing data theft, persistence installation, and bypassing of all security controls.

🟠

Likely Case

Local privilege escalation enabling installation of malicious apps, data access, and bypassing app sandbox restrictions.

🟢

If Mitigated

Limited impact if proper app isolation and least privilege principles are enforced, though privilege escalation would still be possible.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or remote shell access to the device.
🏢 Internal Only: HIGH - Once an attacker gains initial access to a device, they can exploit this to gain full control.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access to the device; no public exploit code available as per references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: December 2023 security patches for HarmonyOS

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2023/12/

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install December 2023 security patch. 3. Restart device after installation.

🔧 Temporary Workarounds

Restrict physical access

all

Limit physical access to devices to prevent local exploitation

Disable developer options

all

Turn off USB debugging and developer options to reduce attack surface

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict access controls and monitoring for device usage

🔍 How to Verify

Check if Vulnerable:

Check HarmonyOS version in Settings > About phone > HarmonyOS version

Check Version:

Not applicable - check via device settings UI

Verify Fix Applied:

Verify December 2023 security patch is installed in Settings > System & updates > Software update

📡 Detection & Monitoring

Log Indicators:

  • Unusual privilege escalation attempts in system logs
  • Suspicious package installation activities

Network Indicators:

  • Not applicable - local vulnerability

SIEM Query:

Not applicable for typical mobile device management

📊 Metadata

CVE ID: CVE-2023-46773
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
Published: December 6, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46773, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)