Google has released critical security patches addressing two high-severity zero-day vulnerabilities in Android that are currently being exploited in limited, targeted attacks.
The vulnerabilities, disclosed in the December 2025 Android Security Bulletin, affect multiple Android versions and require immediate attention from device manufacturers and users.
Active Exploitation Confirmed
The two CVEs under active exploitation, CVE-2025-48633 and CVE-2025-48572, have been identified with evidence of real-world usage.
| CVE ID | Type | Severity | Affected Android Versions |
|---|---|---|---|
| CVE-2025-48633 | Information Disclosure | High | 13, 14, 15, 16 |
| CVE-2025-48572 | Elevation of Privilege (EoP) | High | 13, 14, 15, 16 |
Google’s security team flagged both vulnerabilities as having indications of limited, targeted exploitation in the wild.
These discoveries highlight the ongoing threat landscape where attackers quickly identify and weaponize newly disclosed Android vulnerabilities.
CVE-2025-48633, an information disclosure vulnerability in Android’s Framework component, has been rated as high severity and affects Android versions 13 through 16.
This vulnerability could allow attackers to access sensitive information without requiring elevated privileges, potentially exposing user data across millions of devices.
The second vulnerability, CVE-2025-48572, is a high-severity elevation-of-privilege (EoP) flaw.
This type of vulnerability is hazardous as it enables attackers to gain administrative control over affected devices.
Both vulnerabilities impact the identical Android versions 13, 14, 15, and 16, making a substantial portion of the Android ecosystem vulnerable until patches are applied.
The affected Framework and System components are fundamental to Android’s core functionality, indicating a significant potential for widespread impact.
Google announced that security patch levels dated December 5, 2025, or later address all disclosed issues.
Android partners received notification of these vulnerabilities at least one month before the public bulletin, allowing device manufacturers time to prepare patches.
Google has committed to releasing corresponding source code patches to the Android Open Source Project (AOSP) repository within 48 hours of the bulletin’s initial publication.
Users who install applications outside Google Play should exercise extra caution, as threat actors may distribute malicious apps designed to exploit these vulnerabilities.
Keeping Android devices updated and avoiding sideloaded applications from untrusted sources remains the best defense.
Device owners should immediately check their security patch level and update their devices when patches become available.
The update process varies by device manufacturer and carrier, but most modern Android devices offer automatic updates.
Users can verify their current patch level in device settings under About Phone or System Updates.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.