CISA added two high-severity Android Framework vulnerabilities—CVE-2025-48572 and CVE-2025-48633—to its Known Exploited Vulnerabilities (KEV) catalog on December 1, 2025, confirming limited, targeted exploitation in the wild. These zero-days, addressed in Google’s December 2025 Android Security Bulletin (patch levels 2025-12-01 and 2025-12-05), affect Android 13 through 16 and enable privilege escalation and information disclosure without user interaction.
CVE-2025-48572: Background Privilege Escalation
This flaw stems from a permissions bypass in the Android Frameworks Base package, allowing malicious apps to launch unauthorized activities from the background. Attackers exploit it for local escalation of privileges, bypassing sandbox restrictions to access sensitive system functions like installing malware or altering device controls. No additional execution privileges or user interaction are needed, making it ideal for chaining with social engineering or sideloaded apps in targeted spyware campaigns.
CVE-2025-48633: Sensitive Data Leak
CVE-2025-48633 enables Android apps to disclose sensitive information from the Framework layer, such as app states, user credentials, or system data, without elevated rights. Residing in core APIs and libraries that apps rely on, it creates a foothold for deeper attacks when paired with escalation bugs like CVE-2025-48572. Google notes its use in limited attacks, likely by state actors or commercial surveillance tools targeting high-value individuals.
Mitigation and Enterprise Response
Apply security patch levels 2025-12-01 or later via MDM platforms to close both flaws across fleets.Restrict background app activity, disable sideloading, and monitor for anomalous Framework API calls or privilege jumps using EDR tools. Federal agencies face a December 23 remediation deadline under BOD 22-01, but all orgs should prioritize due to active threats.
