Login Sign Up

CVE-2025-58312

5.1 MEDIUM

📋 TL;DR

A permission control vulnerability in Huawei's App Lock module could allow attackers to bypass application locking mechanisms. This affects availability by potentially preventing legitimate users from accessing locked apps. Huawei smartphone users with App Lock enabled are affected.

💻 Affected Systems

Products:
  • Huawei smartphones with App Lock feature
Versions: Specific versions not detailed in reference; check Huawei advisory for exact affected versions
Operating Systems: HarmonyOS, Android-based EMUI
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with App Lock feature enabled and configured. The vulnerability exists in the permission control mechanism of the App Lock module.

📦 What is this software?

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

Harmonyos by Huawei

View all CVEs affecting Harmonyos →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete bypass of App Lock protection allowing unauthorized access to sensitive applications like banking, messaging, or password managers.

🟠

Likely Case

Temporary denial of service where legitimate users cannot access their own locked applications until device restart or reconfiguration.

🟢

If Mitigated

Minimal impact if App Lock is disabled or if affected applications don't contain sensitive data.

🌐 Internet-Facing: LOW - This is a local device vulnerability requiring physical or malware-based access to the device.
🏢 Internal Only: MEDIUM - Could be exploited by someone with physical access to the device or through malicious apps.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires access to the device and knowledge of the vulnerability. No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check Huawei security bulletin for specific patched versions

Vendor Advisory: https://consumer.huawei.com/en/support/bulletin/2025/11/

Restart Required: Yes

Instructions:

1. Check for system updates in Settings > System & updates > Software update. 2. Install any available security updates. 3. Restart device after update installation.

🔧 Temporary Workarounds

Disable App Lock

all

Temporarily disable the App Lock feature until patched

Settings > Security > App Lock > Toggle off

Use alternative locking methods

all

Use device-level security (PIN/pattern/password) instead of App Lock

🧯 If You Can't Patch

  • Disable App Lock feature entirely
  • Use third-party app locking solutions from trusted vendors

🔍 How to Verify

Check if Vulnerable:

Check if App Lock is enabled and device has not received security updates after the vulnerability disclosure date in November 2025

Check Version:

Settings > About phone > Build number / EMUI version

Verify Fix Applied:

Verify device has installed the latest security update from Huawei and App Lock functions correctly

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed App Lock attempts followed by successful access
  • App Lock service crashes or unexpected behavior

Network Indicators:

  • None - this is a local vulnerability

SIEM Query:

Not applicable for local device vulnerabilities

📊 Metadata

CVE ID: CVE-2025-58312
CVSS v3 Score: 5.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-264
EPSS Score: 0.01% exploit probability (0.7th percentile)
Published: November 28, 2025
Last Updated: December 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58312, you might also want to check these:

CVE-2021-36879 9.8

This vulnerability allows unauthenticated attackers to escalate privileges in WordPress sites using ...

Same vulnerability type (CWE-264)
CVE-2022-36246 9.8

Shop Beat Media Player versions 2.5.95 through 3.2.57 have insecure permissions that allow unauthori...

Same vulnerability type (CWE-264)
CVE-2022-33198 9.8

This vulnerability allows unauthenticated attackers to modify WordPress options through the Accordio...

Same vulnerability type (CWE-264)