The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two high-severity Android Framework vulnerabilities to its Known Exploited Vulnerabilities catalog on December 2, 2025, signaling active exploitation in the wild.
CVE-2025-48572 enables local elevation of privilege, while CVE-2025-48633 allows information disclosure, both affecting core Android APIs used by applications.
Federal agencies must apply patches by December 23, 2025, to mitigate the risks posed by these zero-days.
Google disclosed the flaws in its December 2025 Android Security Bulletin, published on December 1, noting signs of limited, targeted attacks.
These issues reside in the Android Framework component, which provides essential libraries and services for app development across Android versions 13 through 16.
Successful exploitation of CVE-2025-48572 could let a malicious app gain elevated system permissions, potentially leading to arbitrary code execution or persistent access.
CVE-2025-48633 exposes sensitive data across privilege boundaries, aiding reconnaissance or chaining with other flaws for deeper compromise.
The bulletin lists CVE-2025-48572 as an Elevation of Privilege (EoP) vulnerability with high severity, fixed under Android bug ID A-385736540 and applicable to AOSP versions 13, 14, 15, and 16.
CVE-2025-48633 is an Information Disclosure (ID) flaw, addressed via A-417988098, carrying the same severity and version scope.
No CVSS scores appear yet in NVD, as entries remain reserved, but both rank high due to potential for device compromise without additional privileges.
| CVE ID | Type | Severity | Affected AOSP | Bug Reference | Patch Level |
|---|---|---|---|---|---|
| CVE-2025-48572 | Elevation of Privilege | High | 13,14,15,16 | A-385736540 | 2025-12-01 |
| CVE-2025-48633 | Information Disclosure | High | 13,14,15,16 | A-417988098 | 2025-12-01 |
Attackers likely leverage these in tandem, starting with an info leak to target, then escalating via a privilege bump.
The Framework’s role in high-level APIs makes it a prime vector for malware persistence or data exfiltration on unpatched devices.
Devices need security patch levels of 2025-12-05 or higher to cover all fixes, including over 100 vulnerabilities in Framework, System, Kernel, and vendor components.
Android partners received notification a month prior, urging swift rollout; users should check Settings > Security > Patch level.
Enterprises must prioritize BYOD fleets, enforce app vetting, and monitor for anomalous app behavior amid ongoing threats.
CISA stresses the need to integrate KEV into vulnerability management to enable timely responses.
Google Play Protect helps detect threats, but manual updates remain critical for older OS versions.
No public exploit details exist, but the targeted nature suggests nation-state or advanced actors.
Organizations tracking CISA KEV gain early warnings on such threats. Read more at Android Bulletin and CISA KEV.
PortSwigger has leveled up Burp Suite's scanning arsenal with the latest Active Scan++ extension, version…
Unit 42 researchers at Palo Alto Networks exposed serious flaws in the Model Context Protocol…
Polish police have arrested three Ukrainian men traveling through Europe and seized a cache of…
Google has launched its most significant Chrome update ever, embedding Gemini AI across the browser…
Attackers exploit this vulnerability through the router's web interface components, specifically "cgibin" and "hnap_main," by…
Security researchers have uncovered a severe flaw in Apache Tika, a popular open-source toolkit for…