CVE-2025-48572 Overview
CVE-2025-48572 is a permissions bypass vulnerability in Google Android that allows local privilege escalation. The flaw exists in multiple locations within the Android framework and permits an attacker to launch activities from the background, bypassing platform restrictions designed to prevent unauthorized UI manipulation. Exploitation requires no user interaction and no additional execution privileges beyond those already held by a malicious local application. The weakness is classified under [CWE-306: Missing Authentication for Critical Function]. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog, indicating confirmed in-the-wild exploitation.
Critical Impact
A local application can escalate privileges on Android 13 through 16 by launching background activities without authorization, enabling foreground hijacking and follow-on attacks.
Affected Products
- Google Android 13.0
- Google Android 14.0
- Google Android 15.0 and 16.0
Discovery Timeline
- 2025-12-08 - CVE-2025-48572 published to the National Vulnerability Database
- 2025-12-01 - Google publishes the Android Security Bulletin December 2025 addressing the issue
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-48572
Vulnerability Analysis
The vulnerability resides in the Android framework code that governs activity lifecycle and background activity launch (BAL) restrictions. Android enforces BAL controls so that apps cannot arbitrarily start activities while not in the foreground, a protection introduced to block tapjacking, consent dialog hijacking, and overlay abuse. CVE-2025-48572 bypasses these controls in multiple code paths, allowing an unprivileged application to display activities over the user's current task.
Once an attacker-controlled activity reaches the foreground, the application inherits user-facing trust. It can capture credentials through spoofed prompts, approve sensitive runtime permissions, or chain into other elevation primitives. The result is local privilege escalation from a sandboxed third-party app to an effectively foreground-trusted context.
Root Cause
The root cause is missing authorization on critical activity launch transitions, consistent with [CWE-306]. The framework code paths responsible for validating whether a calling process meets the requirements to start an activity in the background do not enforce the permission check in all branches. A patch in the Android Open Source Project, recorded in commit e707f660, adjusts framework logic to close the bypass.
Attack Vector
The attack vector is local. An attacker delivers a malicious application to the device through sideloading, a third-party store, or a previously installed app that pivots to this primitive. The application invokes the affected framework path and launches an activity from the background without holding the required permissions or foreground state. No user interaction is needed beyond initial app execution.
Verified exploit code for CVE-2025-48572 is not public. Refer to the Android Source Code Update and the Android Security Bulletin December 2025 for authoritative technical detail.
Detection Methods for CVE-2025-48572
Indicators of Compromise
- Unexpected activities or full-screen overlays appearing while the user is interacting with an unrelated application.
- Third-party applications running on Android 13 through 16 builds dated prior to the December 2025 security patch level.
- Applications that request no overlay permissions yet generate UI events from a non-foreground state in system logs.
Detection Strategies
- Audit installed packages on managed devices for security patch level 2025-12-01 or later using MDM compliance policies.
- Inspect ActivityTaskManager and ActivityManager log entries for background activity start events tied to non-system UIDs.
- Use mobile threat defense telemetry to flag applications that launch activities while reported as cached or in the background.
Monitoring Recommendations
- Enforce minimum Android patch level requirements in enterprise mobility management and block enrollment for devices below 2025-12-01.
- Forward mobile device security events and application install telemetry into a SIEM for correlation against the Android December 2025 bulletin advisories.
- Track installations of sideloaded APKs and unknown-source applications as elevated risk during the active exploitation window.
How to Mitigate CVE-2025-48572
Immediate Actions Required
- Apply the Android security patch level 2025-12-01 or later on all devices running Android 13, 14, 15, and 16.
- Push the update through OEM channels or enterprise mobility management as soon as carrier and vendor builds are available.
- Restrict installation of applications from unknown sources on managed fleets until devices are patched.
Patch Information
Google fixed CVE-2025-48572 in the Android Security Bulletin December 2025. The framework change is published in AOSP commit e707f660. Device manufacturers integrate the fix into their own builds, so the effective rollout date varies by OEM and carrier. CISA's listing in the Known Exploited Vulnerabilities Catalog sets a remediation deadline for federal agencies and signals priority for all organizations.
Workarounds
- Limit application installations to vetted enterprise app stores and Google Play with Play Protect enabled.
- Remove or disable non-essential third-party applications on devices that cannot yet receive the December 2025 patch.
- Apply EMM policies that block sideloading and restrict overlay or accessibility permissions to an approved allow list.
# Verify Android security patch level on a connected device
adb shell getprop ro.build.version.security_patch
# Expected output for remediated devices: 2025-12-01 or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
