Login Sign Up

CVE-2023-52114

7.5 HIGH

📋 TL;DR

This CVE describes a data confidentiality vulnerability in Huawei's ScreenReader module that could allow unauthorized access to sensitive information. Successful exploitation may affect service integrity, potentially exposing user data or system information. This affects Huawei devices running HarmonyOS with the vulnerable ScreenReader component.

💻 Affected Systems

Products:
  • Huawei devices with ScreenReader module
Versions: Specific HarmonyOS versions as detailed in Huawei security bulletins (January 2024)
Operating Systems: HarmonyOS
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices with ScreenReader functionality enabled. Check Huawei security bulletins for specific device models and versions.

📦 What is this software?

Emui by Huawei

View all CVEs affecting Emui →

Emui by Huawei

View all CVEs affecting Emui →

Emui by Huawei

View all CVEs affecting Emui →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of sensitive user data accessible through ScreenReader, including potentially personal information, authentication tokens, or system credentials.

🟠

Likely Case

Unauthorized access to limited user data or system information through the ScreenReader interface, potentially leading to privacy violations.

🟢

If Mitigated

Minimal impact with proper access controls and isolation preventing exploitation even if vulnerability exists.

🌐 Internet-Facing: MEDIUM - While the vulnerability itself may not be directly internet-facing, compromised devices could expose data if other attack vectors exist.
🏢 Internal Only: HIGH - This affects local device components and could be exploited by malicious apps or local attackers to access sensitive data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation likely requires some level of access or interaction with the ScreenReader component. No public exploit code identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: As specified in Huawei January 2024 security bulletins

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2024/1/

Restart Required: Yes

Instructions:

1. Check for system updates in device settings. 2. Install the latest security update from Huawei. 3. Restart device after installation. 4. Verify update applied successfully.

🔧 Temporary Workarounds

Disable ScreenReader

all

Temporarily disable the ScreenReader functionality if not required

Restrict App Permissions

all

Review and restrict app permissions that might interact with accessibility services

🧯 If You Can't Patch

  • Isolate affected devices from sensitive networks and data
  • Implement strict app installation policies and review all installed applications

🔍 How to Verify

Check if Vulnerable:

Check device HarmonyOS version against affected versions in Huawei security bulletins

Check Version:

Check in device Settings > About phone > HarmonyOS version

Verify Fix Applied:

Verify device has installed the January 2024 security update and shows updated version

📡 Detection & Monitoring

Log Indicators:

  • Unusual ScreenReader access patterns
  • Unexpected accessibility service activations
  • Permission escalation attempts

Network Indicators:

  • Unusual data exfiltration from device
  • Suspicious app communications

SIEM Query:

Search for ScreenReader or accessibility service anomalies in device logs

📊 Metadata

CVE ID: CVE-2023-52114
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CWE: CWE-269
Published: January 16, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-52114, you might also want to check these:

CVE-2023-48419 10.0

This vulnerability allows an attacker within Wi-Fi range of a Google Home device to spy on the victi...

Same vulnerability type (CWE-269)
CVE-2025-20282 10.0

This critical vulnerability in Cisco ISE and ISE-PIC allows unauthenticated remote attackers to uplo...

Same vulnerability type (CWE-269)
CVE-2022-24783 10.0

This critical vulnerability in Deno runtime allows malicious code to bypass all permission checks an...

Same vulnerability type (CWE-269)