Skip to main content

Harmonyos CVE-2025-48906

| EUVDEUVD-2025-17085 HIGH
Authentication Bypass by Spoofing (CWE-290)
2025-06-06 psirt@huawei.com
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 14, 2026 - 18:10 euvd
EUVD-2025-17085
Analysis Generated
Mar 14, 2026 - 18:10 vuln.today
CVE Published
Jun 06, 2025 - 07:15 nvd
HIGH 8.8

DescriptionCVE.org

Authentication bypass vulnerability in the DSoftBus module Impact: Successful exploitation of this vulnerability may affect availability.

AnalysisAI

CVE-2025-48906 is an authentication bypass vulnerability in the DSoftBus module that allows unauthenticated attackers on the local network to completely compromise system confidentiality, integrity, and availability without user interaction. The vulnerability affects DSoftBus implementations across multiple platforms with a CVSS score of 8.8, indicating critical severity with high exploitability potential on adjacent networks.

Technical ContextAI

DSoftBus is a distributed soft bus communication module used for inter-process communication and service discovery in various operating systems and IoT platforms. The vulnerability root cause is classified under CWE-290 (Authentication Using a Broken or Risky Cryptographic Algorithm), indicating the authentication mechanism either uses insufficient cryptographic protections, lacks proper validation, or can be circumvented through cryptographic weaknesses. The adjacent network attack vector (AV:A) suggests the flaw exists in network-based authentication handshakes or credential validation during service discovery or RPC mechanisms within DSoftBus. The low attack complexity (AC:L) and no privilege requirement (PR:N) indicate this is a fundamental design flaw rather than edge-case exploitation requiring specific conditions.

RemediationAI

Immediate actions: (1) Isolate DSoftBus-enabled devices from untrusted network segments; implement strict network segmentation and firewall rules limiting DSoftBus traffic to authorized hosts only; (2) Monitor for vendor security advisories from OpenHarmony, Huawei, and device manufacturers for patched versions; (3) Patch to latest DSoftBus versions once vendors release security updates addressing CWE-290 (expected to implement cryptographically sound authentication, mutual authentication, or capability-based authorization); (4) Temporary workarounds include disabling DSoftBus if not essential, restricting network access via iptables/firewall rules to trusted peers, or implementing application-level authentication overlays. Vendor patch links and specific version updates must be obtained from official OpenHarmony security advisories and device manufacturer security bulletins.

CVE-2026-28536 CRITICAL
9.6 Mar 05

Auth bypass in device authentication module.

CVE-2025-64314 CRITICAL
9.3 Nov 28

Permission control vulnerability in the memory management module. Rated critical severity (CVSS 9.3), this vulnerability

CVE-2025-31173 HIGH
8.8 Apr 07

Memory write permission bypass vulnerability in the kernel futex module Impact: Successful exploitation of this vulnerab

CVE-2024-58045 HIGH
8.6 Mar 04

Multi-concurrency vulnerability in the media digital copyright protection module Impact: Successful exploitation of this

CVE-2025-31175 HIGH
8.4 Apr 07

Deserialization mismatch vulnerability in the DSoftBus module Impact: Successful exploitation of this vulnerability may

CVE-2025-31170 HIGH
8.4 Apr 07

Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w

CVE-2024-58127 HIGH
8.4 Apr 07

Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w

CVE-2024-58126 HIGH
8.4 Apr 07

Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w

CVE-2024-58125 HIGH
8.4 Apr 07

Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w

CVE-2024-58124 HIGH
8.4 Apr 07

Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w

CVE-2024-58044 HIGH
8.4 Mar 04

Permission verification bypass vulnerability in the notification module Impact: Successful exploitation of this vulnerab

CVE-2025-54653 HIGH
8.4 Aug 06

Path traversal vulnerability in the virtualization file module. Rated high severity (CVSS 8.4), this vulnerability is lo

Share

CVE-2025-48906 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy