Cyber Resilience

CVE-2025-48633

MediumCISA KEVActive ExploitationEUVD Exploited

Published: 08 December 2025

Published
08 December 2025
Modified
10 December 2025
KEV Added
02 December 2025
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0010 26.7th percentile
Risk Priority 31 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-48633 is a medium-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.7th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-48633 is a logic error in the hasAccountsOnAnyUser function of DevicePolicyManagerService.java within the Android Open Source Project's platform/frameworks/base component. This flaw enables the addition of a Device Owner after device provisioning, resulting in a local escalation of privilege. Exploitation requires no additional execution privileges or user interaction. The vulnerability carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE information not yet detailed by NVD.

A local attacker with low privileges (PR:L) on an affected Android device can exploit this issue without additional attack complexity or user involvement. Successful exploitation allows the attacker to elevate privileges by installing a Device Owner, granting high confidentiality access (C:H) as reflected in the CVSS metrics, though without integrity or availability impact.

The Android Security Bulletin for December 2025-12-01 addresses this vulnerability and provides patch details. A specific code change fixing the issue is available in the commit at https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93. Mitigation involves applying the relevant Android updates, and the vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633, indicating real-world exploitation.

EU & UK References

Vulnerability details

In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…

more

is not needed for exploitation.

CWE(s)
KEV Date Added
02 December 2025

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is a logic error enabling local privilege escalation to Device Owner without user interaction, directly facilitating T1068: Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-48543Same product: Google Androidboth on KEV
CVE-2025-48572Same product: Google Androidboth on KEV
CVE-2024-56192Same product: Google Android
CVE-2025-48602Same product: Google Android
CVE-2026-0124Same product: Google Android
CVE-2024-49738Same product: Google Android
CVE-2024-40651Same product: Google Android
CVE-2026-0023Same product: Google Android
CVE-2025-48574Same product: Google Android
CVE-2025-48647Same product: Google Android

Affected Assets

google
android
13.0, 14.0, 15.0, 16.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation via Android security patches directly corrects the logic error in hasAccountsOnAnyUser, preventing unauthorized Device Owner addition and local privilege escalation.

prevent

Enforces approved authorizations in DevicePolicyManagerService to block low-privileged local attackers from setting Device Owner after provisioning.

prevent

Limits low-privilege local accounts from accessing or modifying Device Owner settings, mitigating escalation even with flawed enforcement logic.

References