CVE-2025-48633 - PatchNow

Data Source: CIRCL

Confidence: HIGH

Exploitation Method: OTHER

CVE Published: 2025-12-08

Added to CISA KEV: 2025-12-02 0 DAY BETWEEN CVE AND KEV

CRITICAL: Check for indicators of compromise - this vulnerability is in CISA KEV indicating active exploitation in the wild. Review device logs, check for unauthorized device administration apps, verify no unexpected Device Owner policies
Apply Android security updates immediately when available for affected versions (13, 14, 15, 16)
Monitor for suspicious device administration changes and unauthorized policy installations
HIGH priority patching for enterprise Android deployments with device management

CVE-2025-48633 is a security vulnerability in the Android Framework that was disclosed and patched by Google in December 2025 ^[3].

Here is the current understanding of the vulnerability based on available information:

Active Exploitation: Google confirmed that this vulnerability was under "limited, targeted exploitation" at the time the patch was released in December 2025 ^[1] ^[5].
Threat Actor Usage: Specific details regarding the threat actors behind these targeted attacks have not been publicly attributed or detailed in major security reports.

Technical Root Cause: The vulnerability exists in the `hasAccountsOnAnyUser` function within `DevicePolicyManagerService.java` ^[2].
Exploitation Method: It involves a logic error that allows an attacker to add a "Device Owner" to an Android device after the initial provisioning process has already been completed ^[2].
Requirements: While the vulnerability is often categorized as a local escalation of privilege ^[4], the specific nature of "Device Owner" provisioning typically implies a need for specific conditions or interactions to bypass standard security checks.

Impact: Successful exploitation grants the attacker "Device Owner" status. This is a highly privileged role in Android that provides extensive control over the device, including the ability to manage apps, monitor data, and enforce security policies, effectively giving the attacker administrative control over the device's management profile.
Ransomware/Targeted Attacks: The vulnerability was identified in the context of "targeted attacks" rather than broad, automated ransomware campaigns ^[1].

Proof-of-Concept: There is no widely available public exploit tool or proof-of-concept code for this vulnerability.
Patch Status: This vulnerability was addressed in the December 2025 Android Security Bulletin ^[3]. Users are advised to ensure their devices have received the 2025-12-01 security patch level or later to mitigate this risk.

CVE-2025-48633 Detail - NVD
Description. In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error ... Secure .gov websites use HTTPS A lock () or https:// means you've safely connected to the .gov website. Share sensitive information only…
Google fixes Android vulnerabilities "under targeted exploitation ...
Google patches Android vulnerabilities, including CVE-2025-48633 and CVE-2025-48572, which "may be under limited, targeted exploitation".
Android Security Bulletin—December 2025 - Android Open Source Project
CVE-2025-48633 CVE-2025-48572 2025-12-01 security patch level vulnerability details In the sections below, we provide details for each of the security vulnerabilities that apply to the 2025-12-01 patch level. Vulnerabilities are grouped under the component they affect. ... CVE-2025-48631 has been re…
CVE-2025-48633 | Medium Vulnerability in Google Android
CVE-2025-48633 is a medium-severity vulnerability found in Google Android systems. This vulnerability allows for local escalation of privilege ...
Google fixes two Android zero days exploited in attacks, 107 flaws
Google has released the December 2025 Android security bulletin, addressing 107 vulnerabilities, including two flaws actively exploited in targeted attacks.

🟢 CVE-2025-48633