CVE-2025-48906

| EUVD-2025-17085 HIGH
2025-06-06 [email protected]
8.8
CVSS 3.1
Share

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17085
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 07:15 nvd
HIGH 8.8

Tags

Authentication Bypass Denial Of Service Harmonyos

Description

Authentication bypass vulnerability in the DSoftBus module Impact: Successful exploitation of this vulnerability may affect availability.

Analysis

CVE-2025-48906 is an authentication bypass vulnerability in the DSoftBus module that allows unauthenticated attackers on the local network to completely compromise system confidentiality, integrity, and availability without user interaction. The vulnerability affects DSoftBus implementations across multiple platforms with a CVSS score of 8.8, indicating critical severity with high exploitability potential on adjacent networks.

Technical Context

DSoftBus is a distributed soft bus communication module used for inter-process communication and service discovery in various operating systems and IoT platforms. The vulnerability root cause is classified under CWE-290 (Authentication Using a Broken or Risky Cryptographic Algorithm), indicating the authentication mechanism either uses insufficient cryptographic protections, lacks proper validation, or can be circumvented through cryptographic weaknesses. The adjacent network attack vector (AV:A) suggests the flaw exists in network-based authentication handshakes or credential validation during service discovery or RPC mechanisms within DSoftBus. The low attack complexity (AC:L) and no privilege requirement (PR:N) indicate this is a fundamental design flaw rather than edge-case exploitation requiring specific conditions.

Affected Products

DSoftBus module implementations including but not limited to: OpenHarmony devices and derivatives, Huawei HarmonyOS systems, and any third-party implementations of DSoftBus protocol. Specific affected versions require vendor advisory cross-reference; however, all DSoftBus versions implementing the vulnerable authentication mechanism are at risk. CPE identifiers likely include: cpe:2.3:a:openharmony:dsoftbus:*:*:*:*:*:*:*:* (all versions pre-patch). Vendor advisories should specify version cutoffs and platform-specific impact (mobile, IoT, embedded systems).

Remediation

Immediate actions: (1) Isolate DSoftBus-enabled devices from untrusted network segments; implement strict network segmentation and firewall rules limiting DSoftBus traffic to authorized hosts only; (2) Monitor for vendor security advisories from OpenHarmony, Huawei, and device manufacturers for patched versions; (3) Patch to latest DSoftBus versions once vendors release security updates addressing CWE-290 (expected to implement cryptographically sound authentication, mutual authentication, or capability-based authorization); (4) Temporary workarounds include disabling DSoftBus if not essential, restricting network access via iptables/firewall rules to trusted peers, or implementing application-level authentication overlays. Vendor patch links and specific version updates must be obtained from official OpenHarmony security advisories and device manufacturer security bulletins.

Priority Score

44
Low Medium High Critical
KEV: 0
EPSS: +0.0
CVSS: +44
POC: 0

Share

CVE-2025-48906 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy