Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Authentication bypass vulnerability in the DSoftBus module Impact: Successful exploitation of this vulnerability may affect availability.
AnalysisAI
CVE-2025-48906 is an authentication bypass vulnerability in the DSoftBus module that allows unauthenticated attackers on the local network to completely compromise system confidentiality, integrity, and availability without user interaction. The vulnerability affects DSoftBus implementations across multiple platforms with a CVSS score of 8.8, indicating critical severity with high exploitability potential on adjacent networks.
Technical ContextAI
DSoftBus is a distributed soft bus communication module used for inter-process communication and service discovery in various operating systems and IoT platforms. The vulnerability root cause is classified under CWE-290 (Authentication Using a Broken or Risky Cryptographic Algorithm), indicating the authentication mechanism either uses insufficient cryptographic protections, lacks proper validation, or can be circumvented through cryptographic weaknesses. The adjacent network attack vector (AV:A) suggests the flaw exists in network-based authentication handshakes or credential validation during service discovery or RPC mechanisms within DSoftBus. The low attack complexity (AC:L) and no privilege requirement (PR:N) indicate this is a fundamental design flaw rather than edge-case exploitation requiring specific conditions.
RemediationAI
Immediate actions: (1) Isolate DSoftBus-enabled devices from untrusted network segments; implement strict network segmentation and firewall rules limiting DSoftBus traffic to authorized hosts only; (2) Monitor for vendor security advisories from OpenHarmony, Huawei, and device manufacturers for patched versions; (3) Patch to latest DSoftBus versions once vendors release security updates addressing CWE-290 (expected to implement cryptographically sound authentication, mutual authentication, or capability-based authorization); (4) Temporary workarounds include disabling DSoftBus if not essential, restricting network access via iptables/firewall rules to trusted peers, or implementing application-level authentication overlays. Vendor patch links and specific version updates must be obtained from official OpenHarmony security advisories and device manufacturer security bulletins.
Auth bypass in device authentication module.
Permission control vulnerability in the memory management module. Rated critical severity (CVSS 9.3), this vulnerability
Memory write permission bypass vulnerability in the kernel futex module Impact: Successful exploitation of this vulnerab
Multi-concurrency vulnerability in the media digital copyright protection module Impact: Successful exploitation of this
Deserialization mismatch vulnerability in the DSoftBus module Impact: Successful exploitation of this vulnerability may
Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w
Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w
Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w
Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w
Access control vulnerability in the security verification module Impact: Successful exploitation of this vulnerability w
Permission verification bypass vulnerability in the notification module Impact: Successful exploitation of this vulnerab
Path traversal vulnerability in the virtualization file module. Rated high severity (CVSS 8.4), this vulnerability is lo
Same weakness CWE-290 – Authentication Bypass by Spoofing
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-17085