CISA has added two critical Android Framework vulnerabilities to its Known Exploited Vulnerabilities catalog, signaling active exploitation in the wild.
The vulnerabilities affect the Android OS and pose significant risks to millions of mobile devices worldwide.
CISA added the vulnerabilities to its KEV catalog on December 2, 2025, requiring federal agencies and critical infrastructure operators to apply patches by December 23, 2025.
The two vulnerabilities are CVE-2025-48572, an Android Framework privilege escalation flaw, and CVE-2025-48633, an information disclosure vulnerability in the same framework component.
Vulnerabilities Added to Known Exploited List
CVE-2025-48572 is a privilege escalation vulnerability in the Android Framework that could allow threat actors to gain elevated permissions on compromised devices.
The vulnerability’s unspecified nature suggests Google is still withholding technical details to prevent widespread exploitation before patches become available.
Once an attacker gains privilege escalation, they can install malware, access sensitive user data, or establish persistent backdoors on affected devices.
The second vulnerability, CVE-2025-48633, enables information disclosure attacks through the Android Framework.
| CVE ID | Vulnerability Type | Component | Status |
|---|---|---|---|
| CVE-2025-48572 | Privilege Escalation | Android Framework | Active Exploitation |
| CVE-2025-48633 | Information Disclosure | Android Framework | Active Exploitation |
This flaw could allow attackers to extract sensitive data from affected devices without requiring explicit user interaction.
When combined with privilege escalation vulnerabilities, information disclosure flaws create a robust attack chain that can compromise device security entirely.
Neither vulnerability has been confirmed for use in ransomware campaigns at this time. However, CISA’s decision to add them to the KEV catalog indicates active exploitation.
Threat actors targeting Android devices often exploit multiple vulnerabilities to maximize attack success rates, making rapid patching critical for device owners and enterprise administrators.
CISA recommends organizations take immediate action by applying vendor-supplied mitigations as soon as patches become available.
Federal agencies must comply with the December 23 deadline per binding operational directive BOD 22-01.
Organizations unable to apply patches should consider discontinuing use of affected products or implementing additional compensating security controls to reduce exposure.
Mobile device users should enable automatic security updates on their Android devices and check Google Play System Update settings for pending patches.
Enterprise administrators should prioritize deploying Android security updates across company-owned devices and communicate patch availability to users.
Additionally, organizations should monitor for indicators of compromise related to these vulnerabilities and implement network segmentation to limit lateral movement if compromise occurs.
The Android security landscape continues evolving as threat actors develop sophisticated attack chains targeting mobile platforms.
This latest CISA advisory underscores the importance of maintaining device security through regular patching, security monitoring, and prompt incident response capabilities.
Organizations should treat this advisory with high urgency and prioritize remediation efforts accordingly.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
