Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
HighCISA KEVExploited in the wildPublic exploit

Android Framework background activity launch privilege escalation

IdentifiersCVE-2025-48572CWE-863

CVE-2025-48572 is a high-severity elevation-of-privilege vulnerability in the Android Framework affecting Android 13, 14, 15, and 16. According to the provided content, the flaw exists in multiple locations and allows activities to be launched from the background due to a permissions bypass. This enables a malicious local application to perform unauthorized background activity launches that should be restricted by the framework’s permission and activity-launch controls. Google indicated the issue was under limited, targeted exploitation at the time of disclosure.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can allow a local attacker or malicious app to elevate privileges on a vulnerable Android device. Because the issue is described as a permissions bypass in the Framework, exploitation can let an unprivileged app perform actions normally blocked by Android’s background activity launch restrictions, potentially enabling further privileged operations or abuse of protected application flows. The content also indicates in-the-wild exploitation in limited, targeted attacks.

Mitigation

If you can’t patch tonight, do this now.

Until patches are deployed, reduce exposure by limiting installation of untrusted or unnecessary applications, enforcing application allowlisting or managed enterprise app policies where possible, and prioritizing updates for high-risk or targeted users. Because exploitation is local and requires no user interaction, mitigation is limited without vendor patches; prompt installation of OEM security updates is the primary effective measure. Google Play Protect may provide some additional protection against known malicious apps, but it is not a substitute for patching.

Remediation

Patch, then assume compromise.

Apply the Android December 2025 security updates that address CVE-2025-48572. The provided content indicates the vulnerability is fixed in Google’s December 2025 Android Security Bulletin and that devices updated to security patch level 2025-12-05 or later are protected against all issues in that bulletin. Organizations should obtain and deploy the corresponding OEM/vendor firmware updates for affected Android 13–16 devices as they become available.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
GoogleAndroidoperating_system

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

29 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

29 SOURCESView more in app
bleeping computerNews
Jun 2, 2026
Google fixes one actively exploited Android zero-day, 124 flaws

A high-severity Android zero-day previously patched by Google and described as being under limited, targeted exploitation.

Read more
bleeping computerNews
Mar 3, 2026
Android gets patches for Qualcomm zero-day exploited in attacks

A high-severity Android zero-day vulnerability patched by Google in December and described as under limited, targeted exploitation.

Read more
the hacker newsNews
Feb 28, 2026
Android - Latest News, Reports & Analysis | The Hacker News

An elevation of privilege vulnerability in the Android Framework component that Google states has been exploited in the wild (limited/targeted).

Read more
cyberthroneNews
Dec 26, 2025
When Silence Broke Security: Zero-Days in 2025 - TheCyberThrone

Android privilege escalation vulnerability described as a zero-day and actively exploited.

Read more
+14 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity10

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2025-48572
NVD
nvd.nist.gov/vuln/detail/CVE-2025-48572
MITRE CWE · CWE-863
cwe.mitre.org
Vendor Advisory
source.android.com/security/bulletin/2025-12-01
Third Party Advisory
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48572
Product
android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192