CVE-2025-24493 – This CVE describes a race condition vulnerabili... (How to Fix)

Q: What is the severity of CVE-2025-24493?

CVE-2025-24493 has a CVSS score of 5.5 (MEDIUM). This CVE describes a race condition vulnerability in OpenHarmony that allows local attackers to cause information leaks. The vulnerability affects OpenHarmony v5.0.3 and earlier versions, potentially exposing sensitive data to unauthorized local users.

📋 TL;DR

This CVE describes a race condition vulnerability in OpenHarmony that allows local attackers to cause information leaks. The vulnerability affects OpenHarmony v5.0.3 and earlier versions, potentially exposing sensitive data to unauthorized local users.

💻 Affected Systems

Products:

OpenHarmony

Versions: v5.0.3 and prior versions

Operating Systems: OpenHarmony-based systems

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems running vulnerable versions of OpenHarmony. The vulnerability requires local access to exploit.

📦 What is this software?

Openharmony by Openatom

View all CVEs affecting Openharmony →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local attacker gains unauthorized access to sensitive system information, potentially including cryptographic keys, user data, or system configuration details.

🟠

Likely Case

Local user with limited privileges accesses information they shouldn't be able to see, potentially leading to privilege escalation or further system compromise.

🟢

If Mitigated

Information exposure limited to non-critical data with proper access controls and isolation mechanisms in place.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring attacker to have local access to the system.

🏢 Internal Only: MEDIUM - Local users on affected systems could exploit this to access sensitive information they shouldn't have access to.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and timing the race condition correctly. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v5.0.3

Vendor Advisory: https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md

Restart Required: Yes

Instructions:

1. Check current OpenHarmony version. 2. Update to version newer than v5.0.3. 3. Reboot the system to apply changes.

🔧 Temporary Workarounds

Restrict local access

all

Limit local user access to systems running vulnerable OpenHarmony versions

Implement strict access controls

all

Enforce principle of least privilege for local users on affected systems

🧯 If You Can't Patch

Isolate affected systems from sensitive networks and data
Implement enhanced monitoring for unusual local access patterns

🔍 How to Verify

Check if Vulnerable:

Check OpenHarmony version with 'getprop ro.build.version.release' or similar system commands

Check Version:

getprop ro.build.version.release

Verify Fix Applied:

Verify version is newer than v5.0.3 and check that the update was successfully applied

📡 Detection & Monitoring

Log Indicators:

Unusual local process activity
Multiple rapid access attempts to sensitive files
Race condition timing patterns in system logs

Network Indicators:

Not applicable - local vulnerability

SIEM Query:

Search for multiple rapid file access attempts from same local user within short timeframes

📊 Metadata

CVE ID: CVE-2025-24493

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-362

EPSS Score: 0.01% exploit probability (1.2th percentile)

Published: June 8, 2025

Last Updated: June 9, 2025

🔗 References

https://gitee.com/openharmony/security/blob/master/zh/security-disclosure/2025/2025-06.md Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-24493, you might also want to check these: