🟒 CVE-2025-48572

This is a local privilege escalation vulnerability in Android that allows launching activities from the background due to a permissions bypass. While highly impactful on mobile devices and actively exploited according to CISA KEV, it cannot be exploited over the internet as it requires local access to the Android device.

← Back to Overview
LOW_RISK
Risk Level
7.8
CVSS Score
LOCAL
Attack Vector
Privilege Escalation
ATT&CK Tactic
T1068 β€” Exploitation for Privilege Escalation
ATT&CK Technique
LOW
Deployment Risk
No
Ransomware

πŸ“‹ Vulnerability Details

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-12-08

Added to CISA KEV: 2025-12-02 0 DAY BETWEEN CVE AND KEV

🎯 Recommendations:

πŸ” Web Intelligence (Kagi Β· 2026-06-04)

CVE-2025-48572 is a high-severity vulnerability in the Android Framework that was identified and addressed in December 2025 [1].

Active Exploitation and Threat Actor Usage
  • Status: This vulnerability has been confirmed as actively exploited in the wild [1].
  • CISA KEV: On December 2, 2025, the Cybersecurity and Infrastructure Security Agency (CISA) added this flaw to its Known Exploited Vulnerabilities (KEV) catalog, mandating that U.S. federal agencies patch the issue [3].
  • Nature of Attacks: Reports indicate that the vulnerability was used in limited, targeted attacks rather than widespread, opportunistic ransomware campaigns [2] [5].
Attack Method and Requirements
  • Exploitation Type: The vulnerability is a local privilege escalation flaw [1].
  • Mechanism: It involves a permissions bypass that allows an attacker to launch activities from the background [4].
  • User Interaction: Successful exploitation does not require user interaction [1].
Impact
  • Consequences: Exploitation provides an attacker with an escalation of privilege on the affected Android device [1].
  • CVSS Score: It is classified as a high-severity vulnerability with a CVSS score of 7.8 [1].
Patch and Mitigation Status
  • Resolution: Google addressed this vulnerability as part of the December 2025 Android security bulletin, which included fixes for 107 total flaws [2].
  • Mitigation: Users are advised to ensure their devices are updated to the latest available security patch level provided by their device manufacturer to mitigate this risk.
*Note: There is no publicly available proof-of-concept (PoC) exploit tool for this vulnerability in the context of general public access, as it was identified as being used in targeted, sophisticated attacks.*

Sources

  1. CVE-2025-48572 | Android Framework Vulnerability | UpGuard

    CVE-2025-48572 is a high-severity vulnerability (CVSS 7.8) in the Android Framework that is currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. This flaw allows a local attacker to bypass permission checks and launch background activi…

  2. Google fixes two Android zero days exploited in attacks, 107 flaws

    Google has released the December 2025 Android security bulletin, addressing 107 vulnerabilities, including two flaws actively exploited in targeted attacks.

  3. CVE-2025-48633 and CVE-2025-48572: Android Framework ...

    On December 2, 2025, CISA added CVE-2025-48633 and CVE-2025-48572 to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal ...

  4. CVE-2025-48572 Detail - NVD

    Description. In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only on o…

  5. Android Multiple Vulnerabilities

    Note: CVE-2025-48633 and CVE-2025-48572 are being scattered exploited. There are indications that the vulnerabilities may be under limited, ...

Generated by PatchNow Intelligence System

Analysis based on CIRCL.LU data, Claude AI assessment, and MITRE ATT&CK framework

πŸ“„ Download JSON Data | πŸ“‘ RSS Feed