Platform
huawei
Component
huawei-mate-20-pro
Fixed in
10.1.1
CVE-2020-9250 describes an insufficient authentication vulnerability discovered in the Huawei Mate 20 Pro smartphone. Successful exploitation allows an unauthenticated, local attacker to craft a malicious software package, potentially impacting service availability. This vulnerability affects devices running versions prior to 10.1.0.160(C00E160R3P8), and a fix is available in version 10.1.0.160.
The primary impact of CVE-2020-9250 is the potential for a denial-of-service (DoS) condition. An attacker with local access to the device can craft a specially designed software package to trigger this vulnerability. This crafted package bypasses authentication checks, allowing the attacker to execute actions that could disrupt or halt the normal operation of the affected service. While the CVSS score is LOW, the local access requirement means that this vulnerability is most likely to be exploited in scenarios involving physical access or compromised devices within a local network. The impact is limited to the affected service on the device itself, preventing broader system compromise.
CVE-2020-9250 is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code for this vulnerability is not widely available, suggesting a low probability of active exploitation. The vulnerability was disclosed in December 2019 and assigned a CVE in 2020, indicating that it has been known for some time. Given the local access requirement, exploitation is likely to be targeted and opportunistic.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2020-9250 is to upgrade the Huawei Mate 20 Pro to version 10.1.0.160 or later. This update includes the necessary authentication checks to prevent the exploitation of this vulnerability. If an immediate upgrade is not possible due to compatibility concerns or device limitations, consider restricting local software installation and carefully scrutinizing any software packages installed on the device. While a WAF or proxy cannot directly mitigate this local vulnerability, ensuring the device's software sources are trusted can reduce the risk of malicious package installation. After upgrading, confirm the fix by attempting to install a known malicious package and verifying that the authentication check is enforced.
Update your HUAWEI Mate 20 Pro device to version 10.1.0.160 or later. The update can be performed through the system settings or by using the HiSuite application on your computer. Be sure to back up your important data before performing the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2020-9250 is a LOW severity vulnerability allowing an unauthenticated local attacker to craft a malicious software package, potentially impacting service availability on Huawei Mate 20 Pro devices.
You are affected if you are using a Huawei Mate 20 Pro with a version earlier than 10.1.0.160(C00E160R3P8).
Upgrade your Huawei Mate 20 Pro to version 10.1.0.160 or later to mitigate this vulnerability.
There is no widespread evidence of active exploitation, but the vulnerability remains a potential risk.
Refer to the Huawei security vulnerability list for details: https://consumer.huawei.com/en/security/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.