CVE-2025-54654 is a permission control vulnerability classified under CWE-264 affecting the Gallery module of Huawei's HarmonyOS versions 5.0.1 and 5.1.0. The vulnerability arises from improper enforcement of permissions within the Gallery application, which could allow an unauthorized local attacker to cause a denial of service (DoS) condition. According to the CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), the attack requires local access but no privileges or user interaction, indicating that any local user or process could exploit this flaw with low complexity. The vulnerability does not compromise confidentiality or integrity but impacts availability by potentially disrupting the Gallery service or related system components. No known exploits have been reported in the wild, and Huawei has not yet released patches. The vulnerability was reserved in July 2025 and published in October 2025. The lack of patches and the medium severity score suggest that while the risk is not critical, it could still disrupt device functionality, especially in environments where HarmonyOS devices are used extensively. The Gallery module is a core user-facing application, so disruption could affect user experience and operational continuity.

For European organizations, the primary impact of CVE-2025-54654 is the potential for denial of service on devices running affected HarmonyOS versions. This could disrupt workflows relying on Huawei devices, particularly those using the Gallery app for media management or other integrated services. While confidentiality and integrity are not directly impacted, availability issues could lead to operational delays or loss of productivity. In sectors where device availability is critical, such as telecommunications, public services, or enterprises with Huawei device deployments, this vulnerability could pose a moderate operational risk. Additionally, the requirement for local access limits remote exploitation, but insider threats or compromised local environments could leverage this vulnerability. The absence of patches means organizations must rely on compensating controls until updates are available. Given Huawei's market presence in Europe, especially in countries with significant Huawei device usage, the impact could be more pronounced in those regions.

1. Restrict physical and local access to devices running HarmonyOS to trusted personnel only, minimizing the risk of local exploitation. 2. Implement strict device usage policies and monitor for unusual activity on Huawei devices, particularly focusing on the Gallery app and related processes. 3. Employ endpoint detection and response (EDR) solutions capable of identifying anomalous behavior indicative of exploitation attempts. 4. Regularly audit device configurations and permissions to ensure no unauthorized privilege escalations or access exist. 5. Coordinate with Huawei for timely updates and patches; prioritize patch deployment once available. 6. Consider temporary disabling or limiting use of the Gallery module in sensitive environments if feasible until a patch is released. 7. Educate users about the risks of local device access and enforce strong physical security controls. 8. Maintain up-to-date backups of critical data to mitigate potential service disruptions.