CVE-2025-48633 Overview
CVE-2025-48633 is a local privilege escalation vulnerability in Google Android's DevicePolicyManagerService.java. Specifically, a logic error in the hasAccountsOnAnyUser function allows an attacker to add a Device Owner after the device has already been provisioned. This bypasses the intended security controls that should prevent Device Owner enrollment post-provisioning, potentially granting an attacker complete administrative control over the affected Android device.
Critical Impact
This vulnerability enables local privilege escalation to Device Owner without requiring user interaction. CISA has added this to the Known Exploited Vulnerabilities catalog, indicating active exploitation in the wild.
Affected Products
- Google Android 13.0
- Google Android 14.0
- Google Android 15.0
- Google Android 16.0
Discovery Timeline
- 2025-12-08 - CVE-2025-48633 published to NVD
- 2025-12-10 - Last updated in NVD database
Technical Details for CVE-2025-48633
Vulnerability Analysis
The vulnerability resides in the hasAccountsOnAnyUser function within DevicePolicyManagerService.java, a core component of Android's enterprise device management framework. The Device Policy Manager is responsible for enforcing enterprise policies and managing Device Owner and Profile Owner configurations.
Under normal circumstances, Android prevents Device Owner enrollment after device provisioning has been completed. This security control exists because Device Owner privileges grant extensive administrative capabilities, including the ability to silently install applications, configure system settings, perform factory resets, and access sensitive device data.
The logic error in hasAccountsOnAnyUser causes the function to incorrectly evaluate account presence across user profiles, allowing the Device Owner enrollment check to be bypassed. An attacker with local access can exploit this flaw to register as Device Owner even on fully provisioned devices. This is particularly concerning for enterprise environments where mobile device management (MDM) solutions rely on these controls.
The vulnerability requires local access and low privileges to exploit, with no user interaction necessary. The primary security impact is confidentiality, as an attacker gaining Device Owner status can access sensitive device information and enterprise data.
Root Cause
The root cause is a logic error in the hasAccountsOnAnyUser method within the Device Policy Manager Service. The function fails to properly enumerate and validate user accounts across all device profiles, resulting in incorrect return values that allow the Device Owner provisioning check to pass when it should fail.
Attack Vector
The attack vector is local, requiring an attacker to have some level of access to the target Android device. The exploitation flow involves:
- An attacker with low-privilege local access identifies that the device is running a vulnerable Android version
- The attacker triggers the Device Owner enrollment process
- Due to the logic error in hasAccountsOnAnyUser, the provisioning check incorrectly determines that enrollment is permitted
- The attacker successfully registers as Device Owner, gaining elevated administrative privileges
- With Device Owner access, the attacker can exfiltrate sensitive data, install malicious applications, or persist on the device
The vulnerability is particularly dangerous because it requires no user interaction and no additional execution privileges beyond basic local access.
Detection Methods for CVE-2025-48633
Indicators of Compromise
- Unexpected Device Owner or Profile Owner enrollments appearing in device management logs
- Anomalous calls to Device Policy Manager APIs from unexpected applications
- Enterprise MDM solutions detecting policy conflicts or unauthorized administrator accounts
- System logs showing Device Owner provisioning events on already-configured devices
Detection Strategies
- Monitor Android system logs for Device Policy Manager events, particularly setDeviceOwner calls occurring after initial device setup
- Implement enterprise MDM solutions that alert on unexpected Device Owner changes
- Deploy endpoint detection tools capable of monitoring Android device administration APIs
- Review device administration app registrations for unauthorized or suspicious entries
Monitoring Recommendations
- Enable verbose logging for DevicePolicyManagerService on enterprise-managed devices
- Configure SIEM rules to detect Device Owner provisioning events outside of authorized enrollment windows
- Establish baseline device administration configurations and alert on deviations
- Monitor for applications requesting device administration privileges without corresponding IT deployment
How to Mitigate CVE-2025-48633
Immediate Actions Required
- Apply the December 2025 Android Security Patch immediately to all affected devices
- Audit enterprise Android devices for unauthorized Device Owner or Profile Owner accounts
- Review device administration logs for evidence of exploitation
- Consider factory resetting devices where unauthorized Device Owner enrollment is detected
Patch Information
Google has released a patch for this vulnerability as part of the Android Security Bulletin December 2025. The fix is available in the Android Source Code Commit with hash d00bcda9f42dcf272d329e9bf9298f32af732f93. Organizations should prioritize applying the 2025-12-01 or later security patch level to all affected Android devices.
Workarounds
- Restrict physical access to Android devices to minimize local attack opportunities
- Implement strong device authentication mechanisms including biometrics and complex PINs
- Deploy Mobile Threat Defense (MTD) solutions capable of detecting anomalous device administration changes
- For enterprise environments, enforce compliance policies that require current security patch levels before granting network access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
