CVE-2024-49747

CriticalRCE

Published: 21 January 2025

Published

21 January 2025

Modified

22 April 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0517 90.0th percentile

Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49747 is a critical-severity Code Injection (CWE-94) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 10.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-18 (Wireless Access).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation of Remote Services (T1210). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly remediates the logic error in gatts_process_read_by_type_req causing out-of-bounds write in the Android BLE GATT server.

SI-16 Memory Protection partial match

prevent

Implements memory protections to prevent remote code execution from the out-of-bounds write vulnerability.

AC-18 Wireless Access partial match

prevent

Establishes usage restrictions and authorizations for wireless access to mitigate unauthenticated remote exploitation over Bluetooth.

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement

Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.

attack.mitre.org →

Why these techniques?

Out-of-bounds write in Android BLE GATT server enables unauthenticated remote code execution over Bluetooth, directly mapping to exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

In gatts_process_read_by_type_req of gatt_sr.cc, there is a possible out of bounds write due to a logic error in the code. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Deeper analysisAI

CVE-2024-49747 is a vulnerability in the gatts_process_read_by_type_req function within gatt_sr.cc, part of the Android Bluetooth Low Energy (BLE) GATT server implementation. It arises from a logic error that enables an out-of-bounds write, potentially leading to remote code execution without requiring additional execution privileges.

The vulnerability can be exploited remotely by any unauthenticated attacker over the network via Bluetooth, with low complexity and no need for user interaction. Successful exploitation grants high-impact remote code execution, compromising confidentiality, integrity, and availability, as reflected in its CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and association with CWE-94 (Improper Control of Generation of Code).

The Android Security Bulletin for 2025-01-01 addresses this issue with patches; practitioners should consult https://source.android.com/security/bulletin/2025-01-01 for detailed mitigation steps and update deployment guidance.

Details

CWE(s): CWE-94

Affected Products

google

android

12.0, 12.1, 13.0, 14.0, 15.0

CVEs Like This One

CVE-2024-43770Same product: Google Android

CVE-2025-0075Same product: Google Android

CVE-2024-43771Same product: Google Android

CVE-2024-49748Same product: Google Android

CVE-2025-22411Same product: Google Android

CVE-2025-22412Same product: Google Android

CVE-2024-43767Same product: Google Android

CVE-2025-22403Same product: Google Android

CVE-2026-0111Same product: Google Android

CVE-2026-0073Same product: Google Android

References

https://source.android.com/security/bulletin/2025-01-01
Vendor Advisory · security@android.com