CVE-2025-48633
Published: 08 December 2025
Summary
CVE-2025-48633 is a medium-severity an unspecified weakness vulnerability in Google Android. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 26.5th percentile by exploit likelihood (below the median); CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation via Android security patches directly corrects the logic error in hasAccountsOnAnyUser, preventing unauthorized Device Owner addition and local privilege escalation.
Enforces approved authorizations in DevicePolicyManagerService to block low-privileged local attackers from setting Device Owner after provisioning.
Limits low-privilege local accounts from accessing or modifying Device Owner settings, mitigating escalation even with flawed enforcement logic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is a logic error enabling local privilege escalation to Device Owner without user interaction, directly facilitating T1068: Exploitation for Privilege Escalation.
NVD Description
In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction…
more
is not needed for exploitation.
Deeper analysisAI
CVE-2025-48633 is a logic error in the hasAccountsOnAnyUser function of DevicePolicyManagerService.java within the Android Open Source Project's platform/frameworks/base component. This flaw enables the addition of a Device Owner after device provisioning, resulting in a local escalation of privilege. Exploitation requires no additional execution privileges or user interaction. The vulnerability carries a CVSS v3.1 base score of 5.5 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) and is associated with CWE information not yet detailed by NVD.
A local attacker with low privileges (PR:L) on an affected Android device can exploit this issue without additional attack complexity or user involvement. Successful exploitation allows the attacker to elevate privileges by installing a Device Owner, granting high confidentiality access (C:H) as reflected in the CVSS metrics, though without integrity or availability impact.
The Android Security Bulletin for December 2025-12-01 addresses this vulnerability and provides patch details. A specific code change fixing the issue is available in the commit at https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93. Mitigation involves applying the relevant Android updates, and the vulnerability is listed in the CISA Known Exploited Vulnerabilities Catalog at https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633, indicating real-world exploitation.
Details
- CWE(s)
- KEV Date Added
- 02 December 2025