CVE-2025-36895 Overview
CVE-2025-36895 is an information disclosure vulnerability affecting Google Android. The flaw is classified under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor. An unauthenticated remote attacker can access sensitive information from the affected device without user interaction.
Google addressed the issue in the Android Security Bulletin September 2025. The vulnerability impacts confidentiality but does not affect integrity or availability of the system.
Critical Impact
Remote attackers can read sensitive Android data over the network without authentication or user interaction, exposing confidential information to unauthorized parties.
Affected Products
- Google Android (see cpe:2.3:o:google:android:-:*:*:*:*:*:*:*)
- Pixel devices covered by the September 2025 Android Security Bulletin
- Android builds prior to the September 2025 security patch level
Discovery Timeline
- 2025-09-04 - CVE-2025-36895 published to NVD
- 2025-09-05 - Last updated in NVD database
Technical Details for CVE-2025-36895
Vulnerability Analysis
The vulnerability is an information disclosure issue in Google Android tracked under [CWE-200]. An attacker reaches the vulnerable code path over the network without prior authentication. The exploitation does not require user interaction, which broadens the attack surface to any reachable Android device.
The confidentiality impact is high while integrity and availability remain unaffected. This pattern is consistent with a flaw that leaks sensitive memory, file, or protocol data rather than altering device state. Google has not published exploit technique details beyond the bulletin reference.
Root Cause
The root cause is improper protection of sensitive information within an Android component reachable from the network. Per the CWE-200 classification, the component fails to enforce adequate access controls when responding to remote requests. Google's advisory does not disclose the specific subsystem or component identifier in public references.
Attack Vector
The attack vector is network-based with low complexity. An attacker sends crafted network traffic to a vulnerable Android device and parses the returned response or side effect to recover sensitive data. No privileges and no user interaction are required, making the flaw exploitable against exposed services and listeners on the device.
No public proof-of-concept exploit, ExploitDB entry, or CISA KEV listing exists for this CVE at the time of writing. The current EPSS score is 0.023%, indicating low observed exploitation likelihood. Refer to the Android Security Bulletin September 2025 for vendor-supplied technical details.
Detection Methods for CVE-2025-36895
Indicators of Compromise
- Unexpected outbound responses from Android devices to untrusted network endpoints containing application or system data.
- Anomalous inbound traffic to Android device service ports from unknown external sources.
- Mobile devices reporting security patch levels earlier than 2025-09-01.
Detection Strategies
- Inventory Android fleet patch levels and flag devices missing the September 2025 security patch.
- Monitor network telemetry for unsolicited connections targeting Android devices on corporate or guest networks.
- Correlate mobile device management (MDM) compliance reports with the affected build list from the Pixel bulletin.
Monitoring Recommendations
- Ingest MDM and Android Enterprise telemetry into a centralized log platform to track patch compliance.
- Alert on Android devices that fail to receive the September 2025 over-the-air (OTA) update within the patch SLA window.
- Review network logs for repeated probes against mobile subnets that may indicate enumeration of vulnerable devices.
How to Mitigate CVE-2025-36895
Immediate Actions Required
- Apply the September 2025 Android security patch level (2025-09-01 or later) to all managed Android devices.
- Prioritize Pixel and other devices listed in the Android Security Bulletin September 2025.
- Enforce automatic OTA updates through MDM policy for the managed Android fleet.
Patch Information
Google released fixes in the September 2025 Android Security Bulletin. Devices must report a security patch level of 2025-09-01 or later to be considered remediated. Pixel-specific updates are documented in the linked bulletin and ship through standard OTA channels.
Workarounds
- Restrict untrusted network access to mobile devices by enforcing VPN-only connectivity or segmented Wi-Fi for managed handsets.
- Disable or restrict exposure of any unnecessary listening services on Android devices via MDM configuration.
- Block direct inbound connections to mobile device IP ranges at the network perimeter until patching is complete.
# Verify Android security patch level via adb
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2025-09-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
