CVE-2025-48571 Overview
CVE-2025-48571 is an information disclosure vulnerability in the Android Bluetooth stack. The flaw resides in multiple functions within btm_sec.cc, the Bluetooth security manager component. A logic error in the code allows an attacker to intercept Short Message Service (SMS) messages over a Bluetooth connection. Exploitation requires user interaction but no additional execution privileges. Google has addressed the issue in the Android 17 security bulletin. The vulnerability is tracked under [CWE-693] (Protection Mechanism Failure), indicating that an existing security control fails to function as intended.
Critical Impact
Remote attackers can intercept SMS messages on affected Android 17 devices when a user accepts a malicious Bluetooth interaction, leading to disclosure of sensitive content such as one-time passwords and authentication codes.
Affected Products
- Google Android 17
- Android Open Source Project (AOSP) Bluetooth stack (btm_sec.cc)
- Devices using the affected Android Bluetooth security manager component
Discovery Timeline
- 2026-06-17 - CVE-2025-48571 published to the National Vulnerability Database
- 2026-06-17 - Last updated in NVD database
- Android Security Bulletin - Google publishes fix details in the Android Security Bulletin #17
Technical Details for CVE-2025-48571
Vulnerability Analysis
The vulnerability resides in btm_sec.cc, the Bluetooth Transport Manager security module of the Android Bluetooth stack. Multiple functions in this file contain a logic error that breaks the intended protection mechanism for SMS-related Bluetooth profiles. Attackers can exploit this flaw to intercept SMS message content transmitted across the Bluetooth interface. The vulnerability does not grant code execution or elevated privileges, but it exposes confidential message data to a network-adjacent attacker. SMS interception is particularly impactful because messages frequently carry multi-factor authentication codes, password reset links, and account notifications. The issue is classified as [CWE-693] Protection Mechanism Failure.
Root Cause
The root cause is a logic error across multiple functions in btm_sec.cc that handle Bluetooth security state and pairing decisions. The faulty logic permits an unauthorized peer to negotiate access to message-bearing profiles such as the Message Access Profile (MAP) without enforcing the expected authorization checks. As a result, the security manager fails to constrain which remote devices may receive SMS data.
Attack Vector
Exploitation occurs over a Bluetooth connection within radio range of the target device. The attacker presents a malicious Bluetooth peer, and the victim must perform a user interaction such as accepting a pairing prompt or connection request. Once the interaction completes, the logic error in the security manager allows the attacker to subscribe to or read SMS data through the abused profile. No malware installation on the target is required.
No public proof-of-concept code is available for CVE-2025-48571. Refer to the Android Security Bulletin #17 for the authoritative technical details and fix description.
Detection Methods for CVE-2025-48571
Indicators of Compromise
- Unexpected Bluetooth pairing or bonding events on Android 17 devices, particularly with unknown peer MAC addresses.
- Repeated Message Access Profile (MAP) or Phone Book Access Profile (PBAP) connection attempts from untrusted devices.
- SMS-based one-time passcodes used from a session or location not associated with the legitimate user.
- Unfamiliar entries in the device's paired Bluetooth list following public or untrusted environments.
Detection Strategies
- Audit Android device logs through Mobile Device Management (MDM) for Bluetooth bonding events and profile-level service connections.
- Correlate authentication failures and account-takeover attempts with recent Bluetooth pairing activity on the user's device.
- Inspect Bluetooth Host Controller Interface (HCI) snoop logs where available to identify MAP/PBAP traffic to unauthorized peers.
Monitoring Recommendations
- Enroll Android devices in an MDM platform that reports OS patch level and flags devices below the Android 17 security bulletin patch level.
- Alert on additions to the trusted Bluetooth device list outside of approved provisioning workflows.
- Monitor identity systems for SMS multi-factor authentication anomalies that may indicate intercepted one-time codes.
How to Mitigate CVE-2025-48571
Immediate Actions Required
- Apply the Android 17 security patch level referenced in the Android Security Bulletin #17 to all affected devices.
- Instruct users to reject Bluetooth pairing prompts from unknown devices and to disable Bluetooth in untrusted environments.
- Migrate SMS-based multi-factor authentication to application-based or hardware token methods where feasible.
Patch Information
Google has released a fix in the Android 17 security bulletin. Original Equipment Manufacturers (OEMs) integrate the fix into their device-specific firmware. Administrators should verify that managed devices report a security patch level that includes the Android 17 bulletin update. Consult the Android Security Bulletin #17 for the exact patch level string and source code references.
Workarounds
- Disable Bluetooth on the device when it is not actively required.
- Remove unused or unrecognized paired devices from the Bluetooth settings.
- Restrict use of Bluetooth Message Access Profile (MAP) integrations such as in-vehicle infotainment pairing on unpatched devices.
- Enforce MDM policies that prohibit pairing with non-corporate Bluetooth peripherals until the patch is applied.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
