URGENT Patch: Google Fixes Two Actively Exploited Android Zero-Day Vulnerabilities

Two Android vulnerabilities were actively exploited as zero-days before patches became available, according to Google’s December Android Security Bulletin. Both flaws affect the Framework component and enable data access and privilege escalation, making it imperative for Android device owners to update as soon as possible.

The first vulnerability, CVE-2025-48633, involves information disclosure within the Android Framework. The second, CVE-2025-48572, allows an attacker to elevate privileges on the device — a capability that can facilitate the installation of malware or the bypassing of security protections. Both issues were rated as high-severity, and Google specifically notes that they “may be exploited in limited, targeted attacks,” suggesting precision operations against selected victims rather than widespread mass exploitation.

Google does not disclose who is wielding these zero-days or for what purpose. However, recent history shows that such flaws in mobile operating systems are frequently leveraged by vendors of commercial spyware and state-aligned threat actors, typically for covert surveillance of smartphone owners.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog — a list reserved for security flaws confirmed to be exploited “in the wild.” U.S. federal agencies are required to install patches by 23 December, and CISA strongly urges all other organizations to do the same to mitigate the risk of cyberattacks.

December’s Android updates do not end there. In total, Google addressed 107 vulnerabilities, seven of which were classified as critical. The most severe among them is CVE-2025-48631, again within the Framework component. According to Google, exploitation could trigger a remote denial-of-service (DoS) condition without requiring any additional privileges on the device.

Four more critical flaws stem from the kernel (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, and CVE-2025-48638) and allow local privilege escalation. Two additional critical vulnerabilities (CVE-2025-47319 and CVE-2025-47372) affect proprietary Qualcomm components. According to the vendor, CVE-2025-47319 can result in data leakage due to improper exposure of internal TA-to-TA APIs to the operating system, while CVE-2025-47372 is a buffer overflow triggered by parsing a malformed ELF file with an excessively large size and insufficient validation.

Meanwhile, Google is dealing with its own wave of browser-related issues. In November, the company rushed to patch yet another Chrome zero-day — this time CVE-2025-13223, a type-confusion flaw in the V8 JavaScript engine. It marks the seventh zero-day in Chrome discovered since the beginning of the year, all of which have now been fixed.

Support Our Threat Intelligence

If you find our technology report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy