Login Sign Up

CVE-2024-40433

8.8 HIGH

📋 TL;DR

This vulnerability in Tencent WeChat's web-view component allows attackers to bypass permission controls and access sensitive data like cookies. It affects WeChat users on vulnerable versions, potentially exposing their authentication tokens and session data to malicious actors.

💻 Affected Systems

Products:
  • Tencent WeChat
Versions: v8.0.37 and possibly earlier versions
Operating Systems: Android, iOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the default web-view component configuration that improperly handles cookie permissions.

📦 What is this software?

Wechat by Tencent

View all CVEs affecting Wechat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, unauthorized access to private messages and financial data, and lateral movement to connected services.

🟠

Likely Case

Session hijacking, unauthorized access to web accounts linked through WeChat, and data exfiltration from vulnerable sessions.

🟢

If Mitigated

Limited impact with proper network segmentation and application sandboxing, though some data exposure may still occur.

🌐 Internet-Facing: HIGH - Web-view components interact with external content, making them accessible to remote attackers.
🏢 Internal Only: MEDIUM - Requires user interaction with malicious content, but internal threats could exploit it through phishing.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (e.g., clicking a malicious link) but is straightforward once initiated, with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v8.0.38 or later

Vendor Advisory: https://github.com/yikaikkk/CookieShareInWebView/blob/master/README.md

Restart Required: Yes

Instructions:

1. Open WeChat app store (Google Play Store or Apple App Store). 2. Check for updates. 3. Install WeChat v8.0.38 or newer. 4. Restart the app to apply changes.

🔧 Temporary Workarounds

Disable Web-View in WeChat

all

Prevent WeChat from loading external web content to block exploitation vectors.

Not applicable - configure in app settings

Network Segmentation

all

Restrict WeChat traffic to trusted networks only to reduce exposure.

Configure firewall rules to limit WeChat app network access

🧯 If You Can't Patch

  • Disable WeChat web-view functionality in app settings to prevent loading malicious content.
  • Use device-level app sandboxing or mobile device management (MDM) to restrict WeChat permissions.

🔍 How to Verify

Check if Vulnerable:

Check WeChat version in app settings; if version is 8.0.37 or earlier, it is vulnerable.

Check Version:

Open WeChat > Settings > About > Version

Verify Fix Applied:

Update to WeChat v8.0.38 or later and confirm version in app settings.

📡 Detection & Monitoring

Log Indicators:

  • Unusual cookie access patterns in app logs
  • Web-view component errors or permission denials

Network Indicators:

  • Suspicious outbound connections from WeChat to unknown domains
  • Unexpected cookie transmissions in network traffic

SIEM Query:

source="wechat" AND (event="cookie_access" OR event="webview_error")

📊 Metadata

CVE ID: CVE-2024-40433
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-266
Published: July 26, 2024
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-40433, you might also want to check these:

CVE-2026-23800 10.0

This vulnerability allows attackers to escalate privileges in Modular DS modular-connector WordPress...

Same vulnerability type (CWE-266)
CVE-2026-23550 10.0

This critical vulnerability in Modular DS allows attackers to escalate privileges due to incorrect p...

Same vulnerability type (CWE-266)
CVE-2025-41115 10.0

A critical vulnerability in Grafana's SCIM provisioning allows malicious SCIM clients to provision u...

Same vulnerability type (CWE-266)