Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Vulnerability of improper permission assignment in the note sharing module Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
CVE-2025-48911 is an improper permission assignment vulnerability in a note sharing module that allows local attackers with user interaction to compromise system availability and potentially access sensitive information. The vulnerability has a CVSS score of 8.2 (High) with a broad scope impact, though specific affected products, patch status, and exploitation telemetry are not provided in the available intelligence sources. Without KEV confirmation or EPSS data, the real-world exploitation risk cannot be definitively assessed, but the local attack vector and user interaction requirement suggest this is less critical than remote, unauthenticated vulnerabilities.
Technical ContextAI
This vulnerability stems from CWE-266 (Improper Privilege Assignment), a weakness where access control mechanisms fail to correctly enforce permission boundaries in the note sharing functionality. The CVSS vector (AV:L/AC:L/PR:N/UI:R/S:C) indicates a local attack surface requiring no privileges but needing user interaction, with cross-scope impact suggesting the vulnerability can affect resources beyond the immediate application context. The note sharing module likely implements collaborative features (read, write, delete, share permissions) without proper validation of user roles or access control lists, allowing a local attacker to escalate or modify permissions through social engineering or UI-based manipulation. No specific CPE strings, vendor identification, or product versions are available from the provided data, limiting the ability to identify exact affected deployments.
RemediationAI
No specific patch versions, vendor advisories, or remediation guidance are provided in the available intelligence. Recommended actions: (1) Contact the affected software vendor directly to obtain patch information and timelines; (2) Check the vendor's security advisory portal for CVE-2025-48911-specific guidance; (3) If patches are available, prioritize deployment in line with internal patch management SLAs (recommend within 30 days given CVSS 8.2); (4) Interim mitigations pending patch deployment—restrict local access to systems running the affected software, review and audit current permission assignments in note-sharing features, disable note-sharing functionality if not operationally critical; (5) Implement access controls to limit user interaction triggers that could activate the vulnerability (e.g., restrict permission modification UI access to administrators); (6) Monitor logs for unauthorized permission changes or access pattern anomalies.
Permission verification vulnerability in the wpa_supplicant module Impact: Successful exploitation of this vulnerability
Permission management vulnerability in the PMS module. Rated critical severity (CVSS 9.8), this vulnerability is remotel
Vulnerability of access permissions not being strictly verified in the APPWidget module.Successful exploitation of this
Vulnerability of permissions not being strictly verified in the window management module.Successful exploitation of this
API permission management vulnerability in the Fwk-Display module.Successful exploitation of this vulnerability may caus
Vulnerability of defects introduced in the design process in the HiviewTunner module. Rated critical severity (CVSS 9.8)
The DP module has a service hijacking vulnerability.Successful exploitation of this vulnerability may affect some Super
Vulnerability of out-of-bounds parameter read/write in the Wi-Fi module. Rated critical severity (CVSS 9.8), this vulner
Vulnerability of commands from the modem being intercepted in the atcmdserver module. Rated critical severity (CVSS 9.8)
Some smartphones have configuration issues. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitab
Some smartphones have the out-of-bounds write vulnerability. Rated critical severity (CVSS 9.8), this vulnerability is r
Some smartphones have the out-of-bounds write vulnerability.Successful exploitation of this vulnerability may cause syst
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17064