Critical Zero-Click RCE Vulnerability (CVE-2025-48593) in Android System Component
Google released a security update in November 2025 to address a critical remote code execution vulnerability, CVE-2025-48593, in the Android System component. This flaw allows attackers to execute code remotely on affected devices running Android versions 13 through 16 without requiring user interaction or additional execution privileges. The vulnerability stems from insufficient validation of user input, making it possible for exploitation via a zero-click attack vector.
The update also addressed a separate privilege escalation issue, CVE-2025-48581, affecting Android 16, but the primary concern is the zero-click RCE, which requires immediate patching due to its severity. Google has stated that there is no evidence of active exploitation in the wild at the time of the update. Security experts urge all users and organizations to apply the November 2025 security patch promptly to mitigate the risk posed by this critical vulnerability.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Reports warn CVE-2025-48593 affects Android 13 through 16
Subsequent reporting described CVE-2025-48593 as a zero-click RCE in Android's core System component affecting Android versions 13 through 16, and urged rapid patching by device makers and users. The flaw was characterized as enabling silent remote compromise of targeted devices.
Google says no in-the-wild exploitation is known for patched Android flaws
At the time of the November 2025 Android security bulletin, Google stated it was not aware of active exploitation of CVE-2025-48593 or the other patched System component issue. This accompanied disclosure of the fixes in the monthly update.
Google releases November 2025 Android patch for CVE-2025-48593
Google issued its November 2025 Android security update with the 2025-11-01 security patch level, fixing CVE-2025-48593, a critical remote code execution flaw in the Android System component. The vulnerability requires no additional privileges and no user interaction to exploit.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Android Hit by 0-Click RCE Vulnerability in Core System Component
databreaches.net
Open sourceAndroid Zero-Click RCE (CVE-2025-48593) in System Component Requires Immediate Patch for Versions 13-16
securityonline.info
Open sourceGoogle fixed a critical remote code execution in Android
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Patches Android Zero-Interaction DoS and Zero-Click adbd RCE Flaws
Google issued Android security updates to fix multiple high-severity flaws, including **CVE-2026-0049**, a critical Android Framework vulnerability that can trigger a local denial-of-service with no user interaction and no elevated privileges, and **CVE-2026-0073**, a critical remote code execution bug in the Android System component tied to the Android Debug Bridge Daemon (`adbd`). The `adbd` flaw affects Android 14, 15, 16, and `16-qpr2`, and under proximal or adjacent network conditions could allow shell-level remote code execution on a target device without user action. The April bulletin also addressed **CVE-2025-48651**, a high-severity StrongBox issue affecting hardware-backed key storage implementations from Google, NXP, STMicroelectronics, and Thales, with fixes split between the `2026-04-01` and `2026-04-05` patch levels. Google said the `adbd` issue is remediated by the `2026-05-01` security patch level or later and noted that, because `adbd` is delivered through Project Mainline, mitigations can reach Android 10 and later devices faster through Google Play system updates; organizations were urged to accelerate deployment of the April and May patches across managed mobile fleets.
May 25, 2026
Google Patches Android Zero-Day and High-Severity XR Privilege Escalation Flaws
Google has issued its June 2026 Android security updates to fix **113 vulnerabilities**, including **18 critical** flaws and a zero-day tracked as `CVE-2025-48595` that the company said may be under limited, targeted exploitation. The zero-day affects the **Android Framework** and stems from an integer overflow memory-management issue that can enable code execution and potentially full device compromise. The update also addresses vulnerabilities in third-party components from **Qualcomm, MediaTek, and Unisoc**, and Google said devices running Android 10 or later can receive relevant fixes through Google Play services, with patch levels dated **2026-06-05** or later remediating the documented issues. Google also published its June 2026 **XR Security Bulletin**, disclosing a high-severity flaw, `CVE-2026-0072`, in `InputMethodManagerService`. The bug is caused by a missing permission check in `addInputMethodListener` and can allow **local elevation of privilege** without additional execution privileges or user interaction; Google said it could also permit input text to be read without permission. The XR issue is fixed with security patch level **2026-06-01** or later, while full XR protection requires the broader Android June 2026 patch level as well, underscoring the need for enterprises to accelerate deployment of both platform and device-vendor updates.
Jun 3, 2026
Android December 2025 Security Update Addresses Critical DoS and Two Exploited Zero-Days
Google released the December 2025 Android Security Bulletin, patching 107 vulnerabilities, including a critical remote Denial of Service (DoS) flaw (CVE-2025-48631) in the Android Framework and two zero-day vulnerabilities (CVE-2025-48633 and CVE-2025-48572) that are reportedly under active exploitation. The zero-days allow for information disclosure and elevation of privilege, affecting Android versions 13 through 16, and are believed to be targeted in limited attacks. The DoS vulnerability enables remote attackers to crash or disable devices without requiring user interaction or additional execution privileges. The update is distributed in two patch levels (2025-12-01 and 2025-12-05), covering both core Android components and vendor-specific issues. Google’s disclosure highlights the ongoing threat posed by actively exploited vulnerabilities in the Android ecosystem and underscores the importance of timely patching by device manufacturers and users. The December update represents one of the largest patch releases of the year, following a period of irregular vulnerability reporting from Google.
Mar 21, 2026