Cyber Resilience

CVE-2024-49747

CriticalRCE

Published: 21 January 2025

Published
21 January 2025
Modified
22 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0517 90.1th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-49747 is a critical-severity Code Injection (CWE-94) vulnerability in Google Android. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked in the top 9.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and AC-18 (Wireless Access).

Deeper analysis

CVE-2024-49747 is an out-of-bounds write in the function gatts_process_read_by_type_req within gatt_sr.cc, caused by a logic error in the code. The flaw resides in the Bluetooth GATT server component of Android and carries a CVSS score of 9.8, reflecting remote code execution potential without any required privileges or user interaction. It is also categorized under CWE-94.

A remote attacker can send a crafted request over the network to trigger the flaw, resulting in arbitrary code execution on the target device. No authentication, special permissions, or user interaction is needed for successful exploitation.

The referenced Android security bulletin from January 2025 addresses the issue through platform updates that correct the logic error in the affected GATT processing code.

EPSS for the CVE rose from a low baseline to a recorded peak of 0.0949, indicating emerging exploitation interest after disclosure.

EU & UK References

Vulnerability details

In gatts_process_read_by_type_req of gatt_sr.cc, there is a possible out of bounds write due to a logic error in the code. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Out-of-bounds write in Android BLE GATT server enables unauthenticated remote code execution over Bluetooth, directly mapping to exploitation of a remote service.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-43770Same product: Google Android
CVE-2024-43771Same product: Google Android
CVE-2025-22411Same product: Google Android
CVE-2024-43767Same product: Google Android
CVE-2025-0075Same product: Google Android
CVE-2024-43096Same product: Google Android
CVE-2024-49748Same product: Google Android
CVE-2025-22412Same product: Google Android
CVE-2025-26438Same product: Google Android
CVE-2026-0073Same product: Google Android

Affected Assets

google
android
12.0, 12.1, 13.0, 14.0, 15.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly remediates the logic error in gatts_process_read_by_type_req causing out-of-bounds write in the Android BLE GATT server.

prevent

Implements memory protections to prevent remote code execution from the out-of-bounds write vulnerability.

prevent

Establishes usage restrictions and authorizations for wireless access to mitigate unauthenticated remote exploitation over Bluetooth.

References