Two Android zero-day vulnerabilities exploited in targeted attacks
Summary
Hide ▲
Show ▼
Google has released security updates for September 2025 to address 111 vulnerabilities in Android, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities, CVE-2025-38352 and CVE-2025-48543, allow for local privilege escalation without additional execution privileges or user interaction. The updates include two patch levels, 2025-09-01 and 2025-09-05, to provide flexibility for Android partners. The flaws affect the Linux Kernel and Android Runtime components. Google has not disclosed specific details about the attacks but has acknowledged limited, targeted exploitation. Benoît Sevens of Google's Threat Analysis Group (TAG) discovered the Linux Kernel flaw, suggesting it may have been used in targeted spyware attacks. The updates also address several other vulnerabilities, including remote code execution, privilege escalation, information disclosure, and denial-of-service issues in Framework and System components. The September 2025 update covers Android 13 through 16 and includes fixes for 27 Qualcomm components, bringing the total number of fixed flaws to 111. The September 2025 Android patches address 111 unique CVEs. The Linux kernel vulnerability (CVE-2025-38352) is a race condition related to POSIX CPU timers. The Android Runtime zero-day (CVE-2025-48543) is resolved in the 2025-09-01 security patch level. The 2025-09-05 security patch level fixes the Linux kernel bug and 51 other issues affecting various components. Google rolled out Pixel security updates resolving 23 vulnerabilities specific to Pixel devices. All vulnerabilities in the Android bulletin are resolved with updates to Wear OS, Pixel Watch, and Automotive OS.
Timeline
-
03.09.2025 14:05 3 articles · 26d ago
Two Android zero-day vulnerabilities exploited in targeted attacks
The article provides additional details on the vulnerabilities addressed in the September 2025 Android security update. It clarifies the nature of the two zero-day flaws, CVE-2025-38352 and CVE-2025-48543, and their potential impacts. The article also highlights other critical vulnerabilities fixed in the update, including remote code execution and memory corruption flaws in Qualcomm components. The update covers Android 13 through 16 and includes fixes for 27 Qualcomm components, bringing the total number of fixed flaws to 111. The article specifies that the Linux kernel vulnerability (CVE-2025-38352) is a race condition related to POSIX CPU timers. It also notes that the Android Runtime zero-day (CVE-2025-48543) is resolved in the 2025-09-01 security patch level. The 2025-09-05 security patch level fixes the Linux kernel bug and 51 other issues affecting various components. Google rolled out Pixel security updates resolving 23 vulnerabilities specific to Pixel devices. All vulnerabilities in the Android bulletin are resolved with updates to Wear OS, Pixel Watch, and Automotive OS.
Show sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
Information Snippets
-
Google released security updates for 120 vulnerabilities in Android for September 2025.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
Two zero-day vulnerabilities, CVE-2025-38352 and CVE-2025-48543, are actively exploited in targeted attacks.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
CVE-2025-38352 is a privilege escalation flaw in the Linux Kernel component with a CVSS score of 7.4.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
CVE-2025-48543 is a privilege escalation flaw in the Android Runtime component with an unspecified CVSS score.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
Both vulnerabilities allow for local privilege escalation without additional execution privileges or user interaction.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
Google has released two patch levels, 2025-09-01 and 2025-09-05, to address the vulnerabilities.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
Benoît Sevens of Google's Threat Analysis Group (TAG) discovered the Linux Kernel flaw.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The updates also address remote code execution, privilege escalation, information disclosure, and denial-of-service vulnerabilities in Framework and System components.
First reported: 03.09.2025 14:053 sources, 3 articlesShow sources
- Android Security Alert: Google Patches 120 Flaws, Including Two Zero-Days Under Attack — thehackernews.com — 03.09.2025 14:05
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
CVE-2025-38352 is a race condition in POSIX CPU timers, allowing task cleanup disruption and kernel destabilization.
First reported: 03.09.2025 17:142 sources, 2 articlesShow sources
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
CVE-2025-48543 impacts the Android Runtime, allowing a malicious app to bypass sandbox restrictions and access higher-level system capabilities.
First reported: 03.09.2025 17:142 sources, 2 articlesShow sources
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
CVE-2025-48539 is a remote code execution (RCE) problem in Android's System component, allowing an attacker to execute arbitrary code on the device without user interaction or privileges.
First reported: 03.09.2025 17:142 sources, 2 articlesShow sources
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
CVE-2025-21483 is a memory corruption flaw in the data network stack that allows remote code execution without user interaction.
First reported: 03.09.2025 17:141 source, 1 articleShow sources
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
-
CVE-2025-27034 is an array index validation bug in the multi-mode call processor, enabling code execution in the modem baseband.
First reported: 03.09.2025 17:141 source, 1 articleShow sources
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
-
The September 2025 update addresses 84 vulnerabilities, including 27 Qualcomm components, and covers Android 13 through 16.
First reported: 03.09.2025 17:142 sources, 2 articlesShow sources
- Google fixes actively exploited Android flaws in September update — www.bleepingcomputer.com — 03.09.2025 17:14
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The September 2025 Android patches address 111 unique CVEs.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The Linux kernel vulnerability (CVE-2025-38352) is a race condition related to POSIX CPU timers.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The Android Runtime zero-day (CVE-2025-48543) is resolved in the 2025-09-01 security patch level.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The 2025-09-05 security patch level fixes the Linux kernel bug and 51 other issues affecting various components.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
Google rolled out Pixel security updates resolving 23 vulnerabilities specific to Pixel devices.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
All vulnerabilities in the Android bulletin are resolved with updates to Wear OS, Pixel Watch, and Automotive OS.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The 2025-09-01 security patch level addresses 58 other bugs in Framework, System, and Widevine DRM.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
-
The 2025-09-05 security patch level includes fixes for issues affecting Linux kernel and multiple hardware components.
First reported: 04.09.2025 10:491 source, 1 articleShow sources
- Two Exploited Vulnerabilities Patched in Android — www.securityweek.com — 04.09.2025 10:49
Similar Happenings
CISA Emergency Directive 25-03: Mitigation of Cisco ASA Zero-Day Vulnerabilities
The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive 25-03, mandating federal agencies to identify and mitigate zero-day vulnerabilities in Cisco Adaptive Security Appliances (ASA) exploited by an advanced threat actor. The directive requires agencies to account for all affected devices, collect forensic data, and upgrade or disconnect end-of-support devices by September 26, 2025. The vulnerabilities allow threat actors to maintain persistence and gain network access. Cisco identified multiple zero-day vulnerabilities (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363, and CVE-2025-20352) in Cisco ASA, Firewall Threat Defense (FTD) software, and Cisco IOS software. These vulnerabilities enable unauthenticated remote code execution, unauthorized access, and denial of service (DoS) attacks. GreyNoise detected large-scale campaigns targeting ASA login portals and Cisco IOS Telnet/SSH services, indicating potential exploitation of these vulnerabilities. The campaign is widespread and involves exploiting zero-day vulnerabilities to gain unauthenticated remote code execution on ASAs, as well as manipulating read-only memory (ROM) to persist through reboot and system upgrade. CISA and Cisco linked these ongoing attacks to the ArcaneDoor campaign, which exploited two other ASA and FTD zero-days (CVE-2024-20353 and CVE-2024-20359) to breach government networks worldwide since November 2023. CISA ordered agencies to identify all Cisco ASA and Firepower appliances on their networks, disconnect all compromised devices from the network, and patch those that show no signs of malicious activity by 12 PM EDT on September 26. CISA also ordered that agencies must permanently disconnect ASA devices that are reaching the end of support by September 30 from their networks. The U.K. National Cyber Security Centre (NCSC) confirmed that threat actors exploited the recently disclosed security flaws in Cisco firewalls to deliver previously undocumented malware families like RayInitiator and LINE VIPER. Cisco began investigating attacks on multiple government agencies in May 2025, linked to the state-sponsored ArcaneDoor campaign. The attacks targeted Cisco ASA 5500-X Series devices to implant malware, execute commands, and potentially exfiltrate data. The threat actor modified ROMMON to facilitate persistence across reboots and software upgrades. The compromised devices include ASA 5500-X Series models running specific software releases with VPN web services enabled. The Canadian Centre for Cyber Security urged organizations to update to a fixed version of Cisco ASA and FTD products to counter the threat.
Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks
Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software.
Supermicro BMC Firmware Vulnerabilities Allow Firmware Tampering
Two medium-severity vulnerabilities in Supermicro Baseboard Management Controller (BMC) firmware allow attackers to bypass firmware verification and update the system with malicious firmware. These vulnerabilities, CVE-2025-7937 and CVE-2025-6198, exploit flaws in the cryptographic signature verification process. The vulnerabilities affect the Root of Trust (RoT) security feature, potentially allowing attackers to gain persistent control over the BMC system and the main server OS. The issues were discovered by Binarly, a firmware security company. Supermicro has released firmware fixes for impacted models, and Binarly has released proof-of-concept exploits for both vulnerabilities. CVE-2025-7937 is a bypass for a previously disclosed vulnerability, CVE-2024-10237, which was reported by NVIDIA. CVE-2025-6198 bypasses the BMC RoT security feature, raising concerns about the reuse of cryptographic signing keys.
Command injection flaw in Libraesva ESG exploited by state actors
Libraesva has released an emergency update for its Email Security Gateway (ESG) solution to address a command injection vulnerability (CVE-2025-59689). This flaw, exploited by a state-sponsored actor, allows arbitrary shell command execution via a crafted email attachment. The vulnerability affects all versions from 4.5 onwards and has been patched in versions 5.0.31, 5.1.20, 5.2.31, 5.3.16, 5.4.8, and 5.5.7. The exploit was discovered and patched within 17 hours of detection. The vulnerability is triggered by improper sanitization of compressed archive formats, enabling non-privileged users to execute arbitrary commands. The patch includes a sanitization fix, automated scans for indicators of compromise, and a self-assessment module to verify the update's application. The vulnerability has a CVSS score of 6.1, indicating medium severity. Libraesva has identified one confirmed incident of abuse by a foreign hostile state entity. Customers using versions below 5.0 must upgrade manually to a supported release, as they have reached end-of-life and will not receive a patch for CVE-2025-59689.
ShadowLeak: Undetectable Email Theft via AI Agents
A new attack vector, dubbed ShadowLeak, allows hackers to invisibly steal emails from users who integrate AI agents like ChatGPT with their email inboxes. The attack exploits the lack of visibility into AI processing on cloud infrastructure, making it undetectable to the user. The vulnerability was discovered by Radware and reported to OpenAI, which addressed it in August 2025. The attack involves embedding malicious code in emails, which the AI agent processes and acts upon without user awareness. The attack leverages an indirect prompt injection hidden in email HTML, using techniques like tiny fonts, white-on-white text, and layout tricks to remain undetected by the user. The attack can be extended to any connector that ChatGPT supports, including Box, Dropbox, GitHub, Google Drive, HubSpot, Microsoft Outlook, Notion, or SharePoint. The ShadowLeak attack targets users who connect AI agents to their email inboxes, such as those using ChatGPT with Gmail. The attack is non-detectable and leaves no trace on the user's network. The exploit involves embedding malicious code in emails, which the AI agent processes and acts upon, exfiltrating sensitive data to an attacker-controlled server. OpenAI acknowledged and fixed the issue in August 2025, but the exact details of the fix remain unclear. The exfiltration in ShadowLeak occurs directly within OpenAI's cloud environment, bypassing traditional security controls.