CVE-2024-43093
published 2024-11-13CVE-2024-43093: In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due…
PriorityP181high7.3CVSS 3.1
AVLACLPRLUIRSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2024-11-28
Exploited in the wild
EPSS
0.71%
49.0th percentile
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| platform | frameworks_base | >= 12:0 < 12:2025-03-01 | 12:2025-03-01 |
| platform | frameworks_base | >= 12L:0 < 12L:2025-03-01 | 12L:2025-03-01 |
| platform | frameworks_base | >= 13:0 < 13:2025-03-01 | 13:2025-03-01 |
| platform | frameworks_base | >= 14:0 < 14:2025-03-01 | 14:2025-03-01 |
| platform | frameworks_base | >= 15-next:0 < 15-next:2025-03-01 | 15-next:2025-03-01 |
| platform | frameworks_base | >= 15:0 < 15:2025-03-01 | 15:2025-03-01 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for file path access attempts to sensitive directories via Documents UI / ExternalStorageProvider that include Unicode-normalized path components (e.g., homoglyph or decomposed Unicode characters) that may bypass the shouldHideDocument filter. ↗
- →CVE-2024-43093 impacts the Android Framework component and Google Play system updates, specifically in the Documents UI — monitor for anomalous privilege escalation events originating from the Documents UI process. ↗
- →CVE-2024-43093 has been observed exploited in limited, targeted attacks — treat any exploitation as potentially linked to spyware or nation-state activity, particularly given co-exploitation with CVE-2024-43047 in NoviSpy spyware campaigns. ↗
- ·Affected Android versions are 12, 12L, 13, 14, and 15; Android 11 and older are no longer supported and may not receive patches. ↗
- ·Google Pixel devices receive patches immediately; other OEM vendors typically take longer to test and deploy security patches — detection/patching timelines will vary by device manufacturer. ↗
CVSS provenance
nvdv3.17.3HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
vulncheck7.3HIGH
cisa7.3HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Android
CVE-2024-43093: Android Security Bulletin 2025-03-01
CVE: CVE-2024-43093
Severity: HIGH
Type: EoP
Affected AOSP versions: 12, 12L, 13, 14, 15
References: A-341680936
vendor_android·2025-03-01·CVSS 7.3
CVE-2024-43093 [HIGH] CVE-2024-43093: Android Security Bulletin 2025-03-01
CVE: CVE-2024-43093
Severity: HIGH
Type: EoP
Affected AOSP versions: 12, 12L, 13, 14, 15
References: A-341680936
Android Security Bulletin 2025-03-01
CVE: CVE-2024-43093
Severity: HIGH
Type: EoP
Affected AOSP versions: 12, 12L, 13, 14, 15
References: A-341680936
CISA
Android Framework Privilege Escalation Vulnerability
cisa·2024-11-07·CVSS 7.3
CVE-2024-43093 [HIGH] Android Framework Privilege Escalation Vulnerability
Vulnerability: Android Framework Privilege Escalation Vulnerability
Affected: Android Framework
Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Notes: https://source.android.com/docs/security/bulletin/2024-11-01 ; https://nvd.nist.gov/vuln/detail/CVE-2024-43093
Remediation Due Date: 2024-11-28
OSV
CVE-2024-43093: In shouldHideDocument of ExternalStorageProvider
osv·2025-03-01
CVE-2024-43093 CVE-2024-43093: In shouldHideDocument of ExternalStorageProvider
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
GHSA
GHSA-9g9p-59w9-vqqc: In shouldHideDocument of ExternalStorageProvider
ghsa_unreviewed·2024-11-13
CVE-2024-43093 [HIGH] CWE-176 GHSA-9g9p-59w9-vqqc: In shouldHideDocument of ExternalStorageProvider
In shouldHideDocument of ExternalStorageProvider.java, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
VulnCheck
Android Framework Privilege Escalation Vulnerability
vulncheck·2024·CVSS 7.3
CVE-2024-43093 [HIGH] Android Framework Privilege Escalation Vulnerability
Android Framework Privilege Escalation Vulnerability
Android Framework contains an unspecified vulnerability that allows for privilege escalation.
Affected: Android Framework
Required Action: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://docs.google.com/spreadsheets/d/1lkNJ0uQwbeC1ZTRrxdtuPLCIl7mlUreoKfSIgajnSyY/edit; https://source.android.com/docs/security/bulletin/2024-11-01; https://www.cybersecurity-help.cz/vdb/SB2024110465; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://securelist.com/ksb-apt-predictions-2025/114582/; https://source.android.com/docs/security/bulletin/2025-03-01
Remediation Due: 2024-11-28
No detection rules found.
No public exploits indexed.
Checkpoint
10th March – Threat Intelligence Report
blogs_checkpoint·2025-03-10
CVE-2025-22224 10th March – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 10th March – Threat Intelligence Report
For the latest discoveries in cyber research for the week of 10th March, please download our Threat Intelligence Bulletin .
TOP ATTACKS AND BREACHES
The City of Mission, Texas, has declared a local state of emergency following a severe cybersecurity incident that threatens to expose protected personal information, health records, and other critical data managed by city departments. The emergency declaration was issued by Mayor Norie Gonzalez Garza on March 4, 2025, after
Bleepingcomputer
Google fixes Android zero-day exploited by Serbian authorities
blogs_bleepingcomputer·2025-03-04·CVSS 7.3
CVE-2024-50302 [HIGH] Google fixes Android zero-day exploited by Serbian authorities
## Google fixes Android zero-day exploited by Serbian authorities
## Sergiu Gatlan
Google has released patches for 43 vulnerabilities in Android's March 2025 security update, including two zero-days exploited in targeted attacks.
Serbian authorities have used one of the zero-days, a high-severity information disclosure security vulnerability ( CVE-2024-50302 ) in the Linux kernel's driver for Human Interface Devices, to unlock confiscated devices.
The flaw was reportedly exploited as part of an Android zero-day exploit chain developed by Israeli digital forensics company Cellebrite to unlock confiscated devices.
The exploit chain—which also includes a USB Video Class zero-day (CVE-2024-53104) patched last month and an ALSA USB-sound driver zero-day)—was found by Amnesty International'
Bleepingcomputer
Google fixes Android kernel zero-day exploited in attacks
blogs_bleepingcomputer·2025-02-03·CVSS 7.8
CVE-2024-45569 [HIGH] Google fixes Android kernel zero-day exploited in attacks
## Google fixes Android kernel zero-day exploited in attacks
## Sergiu Gatlan
In addition to this actively exploited zero-day bug, the February 2025 Android security updates also fix a critical security flaw in Qualcomm's WLAN component.
Qualcomm describes this critical flaw (CVE-2024-45569) as a firmware memory corruption issue caused by an Improper Validation of Array Index weakness in WLAN host communication when parsing the ML IE due to invalid frame content.
CVE-2024-45569 can be exploited by remote attackers to potentially execute arbitrary code or commands, read or modify memory, and trigger crashes in low-complexity attacks that don't require privileges or user interaction.
## Android security patch levels
Google released two sets of patches for February 2025, the 2025-02-01
Securelist
Advanced threat predictions for 2025
blogs_securelist·2024-11-25
Advanced threat predictions for 2025
Table of Contents
Review of last year’s predictions
The rise of creative exploits for mobile, wearables and smart devices
Building new botnets with consumer and corporate software and appliances
Barriers to kernel-level code execution increasingly evaded (kernel rootkits hot again)
Growth in cyberattacks by state-sponsored actors
Hacktivism in cyber-warfare: the new normal in geopolitical conflicts
Supply chain attacks as a service: operators bulk-buying access
Spear-phishing to expand with accessible generative AI
Emergence of more groups offering hack-for-hire services
MFT systems at the forefront of cyberthreats
APT predictions for 2025
Hacktivist alliances to escalate in 2025
The IoT to become a growing attack vector for APTs in 2025
Increasing supply chain attacks on ope
Securelist
Advanced threat predictions for 2025
blogs_securelist·2024-11-25·CVSS 8.8
[HIGH] Advanced threat predictions for 2025
Table of Contents
- Review of last year’s predictions
- APT predictions for 2025
Authors
- Igor Kuznetsov
- Giampaolo Dedola
- Georgy Kucherin
- Maher Yamout
- Vasily Berdnikov
- Isabel Manjarrez
- Ilya Savelyev
- Joao Godinho
We at Kaspersky’s Global Research and Analysis Team monitor over 900 APT (advanced persistent threat) groups and operations. At the end of each year, we take a step back to assess the most complex and sophisticated attacks that have shaped the threat landscape. These insights enable us to anticipate emerging trends and build a clearer picture of what the APT landscape may look like in the year ahead.
In this article in the KSB series, we review the trends of the past year, reflect on the predictions we made for 2024, and offer insights into what we can expect in
Checkpoint
11th November – Threat Intelligence Report
blogs_checkpoint·2024-11-11
CVE-2024-20418 11th November – Threat Intelligence Report
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
2026
2025
2024
2023
2022
2021
2020
2019
2018
2017
2016
## 11th November – Threat Intelligence Report
Memorial Hospital and Manor in Bainbridge, Georgia, has been a victim of a ransomware attack that resulted in the loss of access to its electronic health record system. The Embargo ransomware gang has claimed responsibility, threatening to leak 1.15 terabytes of purportedly stolen data by November 8.
Check Point Harmony Endpoint and Threat Emulation provide protection against this threat (Ransomware.Wins.Embargo.*, Ransomware.Win.Embargo.*)
Serco, a company operating p
Bleepingcomputer
Google fixes two Android zero-days used in targeted attacks
blogs_bleepingcomputer·2024-11-05·CVSS 8.2
CVE-2024-43047 [HIGH] Google fixes two Android zero-days used in targeted attacks
## Google fixes two Android zero-days used in targeted attacks
## Bill Toulas
The CVE-2024-43047 flaw is a high-severity use-after-free issue in closed-source Qualcomm components within the Android kernel that elevates privileges.
The flaw was first disclosed in early October 2024 by Qualcomm as a problem in its Digital Signal Processor (DSP) service.
CVE-2024-43093 is also a high-severity elevation of privilege flaw, this time impacting the Android Framework component and Google Play system updates, specifically in the Documents UI.
Google did not disclose who discovered the CVE-2024-43093 vulnerability.
While Google did not share any details on how the vulnerabilities were exploited, as researchers at Amnesty International discovered CVE-2024-43047, it could indicate that the flaw
2024-11-13
Published
2024-11-07
Added to CISA KEV
Exploited in the wild