Cyber Resilience

CVE-2025-48572

HighCISA KEVActive ExploitationEUVD Exploited

Published: 08 December 2025

Published
08 December 2025
Modified
10 December 2025
KEV Added
02 December 2025
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0021 43.0th percentile
Risk Priority 36 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48572 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Google Android. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 43.0th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-48572 is a permissions bypass vulnerability present in multiple locations within the Android Open Source Project's platform/frameworks/base component. It enables the launch of activities from the background, which could result in local escalation of privilege without needing additional execution privileges or user interaction. The vulnerability is associated with CWE-306 (Missing Authentication for Critical Function) and carries a CVSS v3.1 base score of 7.8 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

A local attacker with low privileges (PR:L) can exploit this issue due to its low attack complexity (AC:L) and lack of required user interaction (UI:N). Successful exploitation allows the attacker to achieve high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H), facilitating privilege escalation on the affected Android device.

The Android Security Bulletin dated 2025-12-01 addresses this vulnerability, with a corresponding patch available in the commit at android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192. It is also listed in the CISA Known Exploited Vulnerabilities Catalog.

This CVE's inclusion in the CISA KEV catalog indicates real-world exploitation has occurred.

EU & UK References

Vulnerability details

In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CWE(s)
KEV Date Added
02 December 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a permissions bypass enabling local escalation of privilege without user interaction, directly facilitating T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48633Same product: Google Androidboth on KEV
CVE-2025-48543Same product: Google Androidboth on KEV
CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2026-0023Same product: Google Android
CVE-2025-48647Same product: Google Android

Affected Assets

google
android
13.0, 14.0, 15.0, 16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-3 mandates enforcement of approved authorizations for access to system resources, directly preventing the permissions bypass that enables unauthorized background activity launches leading to privilege escalation.

prevent

SI-2 requires identification, reporting, and correction of system flaws like CVE-2025-48572, preventing exploitation by applying the available patch from the Android Security Bulletin.

prevent

AC-6 enforces least privilege for accounts and functions, limiting the damage potential from low-privilege local attackers exploiting the vulnerability for escalation.

References