CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Google Patches Two Exploited Android Framework Vulnerabilities

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

Google released December 2025 Android security updates addressing 107 vulnerabilities, including two Framework bugs (CVE-2025-48633, CVE-2025-48572) actively exploited in limited, targeted attacks. The updates also fixed a critical Framework flaw (CVE-2025-48631) enabling remote DoS without additional privileges. Patches are available in two levels (2025-12-01, 2025-12-05) for faster manufacturer adoption. The vulnerabilities affect Android versions 13, 14, 15, and 16, and the patches will address 56 additional vulnerabilities affecting Android components in the kernel or third-party components. Similar flaws in the past were used for targeted exploitation by commercial spyware or nation-state operations targeting a small number of high-interest individuals. The updates address four critical-severity fixes for elevation-of-privilege flaws in the Kernel's Pkvm and UOMMU subcomponents, and two critical fixes for Qualcomm-powered devices (CVE-2025-47319 and CVE-2025-47372). Samsung published its security bulletin, including ported fixes from the Google update and vendor-specific fixes. Devices on Android 10 and later may receive some crucial fixes via Google Play system updates. Play Protect can detect and block documented malware and attack chains, so users of any Android version should keep the component up to date and active.

Timeline

  1. 02.12.2025 09:17 3 articles · 1d ago

    Google Patches Two Exploited Android Framework Vulnerabilities

    Google released December 2025 Android security updates addressing 107 vulnerabilities, including two Framework bugs (CVE-2025-48633, CVE-2025-48572) actively exploited in limited, targeted attacks. The updates also fixed a critical Framework flaw (CVE-2025-48631) enabling remote DoS without additional privileges. Patches are available in two levels (2025-12-01, 2025-12-05) for faster manufacturer adoption. The vulnerabilities affect Android versions 13, 14, 15, and 16, and the patches will address 56 additional vulnerabilities affecting Android components in the kernel or third-party components. Similar flaws in the past were used for targeted exploitation by commercial spyware or nation-state operations targeting a small number of high-interest individuals. The updates address four critical-severity fixes for elevation-of-privilege flaws in the Kernel's Pkvm and UOMMU subcomponents, and two critical fixes for Qualcomm-powered devices (CVE-2025-47319 and CVE-2025-47372). Samsung published its security bulletin, including ported fixes from the Google update and vendor-specific fixes. Devices on Android 10 and later may receive some crucial fixes via Google Play system updates. Play Protect can detect and block documented malware and attack chains, so users of any Android version should keep the component up to date and active.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Cisco IOS and IOS XE SNMP Zero-Day Exploited in Attacks

Cisco has released security updates to address a high-severity zero-day vulnerability (CVE-2025-20352) in Cisco IOS and IOS XE Software. The flaw is a stack-based buffer overflow in the Simple Network Management Protocol (SNMP) subsystem, actively exploited in attacks. This vulnerability allows authenticated, remote attackers to cause denial-of-service (DoS) conditions or gain root control of affected systems. The vulnerability impacts all devices with SNMP enabled, including specific Cisco devices running Meraki CS 17 and earlier. Cisco advises customers to upgrade to a fixed software release, specifically Cisco IOS XE Software Release 17.15.4a, to remediate the vulnerability. Temporary mitigation involves limiting SNMP access to trusted users and disabling the affected Object Identifiers (OIDs) on devices. Additionally, Cisco patched 13 other security vulnerabilities, including two with available proof-of-concept exploit code. Cisco also released patches for 14 vulnerabilities in IOS and IOS XE, including eight high-severity vulnerabilities. Proof-of-concept exploit code exists for two of the vulnerabilities, but exploitation is not confirmed. Three additional medium-severity bugs affect Cisco’s SD-WAN vEdge, Access Point, and Wireless Access Point (AP) software. Cybersecurity researchers have disclosed details of a new campaign, codenamed "Operation Zero Disco", that exploited CVE-2025-20352 to deploy Linux rootkits on older, unprotected systems. The attacks targeted Cisco 9400, 9300, and legacy 3750G series devices, and involved the exploitation of a modified Telnet vulnerability (based on CVE-2017-3881) to enable memory access. The rootkits allowed attackers to achieve remote code execution and gain persistent unauthorized access by setting universal passwords and installing hooks into the Cisco IOS daemon (IOSd) memory space. The attacks singled out victims running older Linux systems without endpoint detection response solutions, using spoofed IPs and Mac email addresses. The rootkit sets a universal password that includes the word "disco" in it, and the malware installs several hooks onto the IOSd, resulting in fileless components disappearing after a reboot. Newer switch models provide some protection via Address Space Layout Randomization (ASLR). The campaign used a UDP controller on infected switches to toggle logs, bypass authentication, and conceal configuration changes. The rootkit allowed attackers to hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks against 32-bit builds included an SNMP exploit that split command payloads across packets. For 64-bit targets, attackers needed guest shell access at level 15 to install a fileless backdoor and use a UDP controller for remote management. The rootkit granted several covert capabilities, including acting as a UDP listener on any port for remote commands. The rootkit created a universal password by modifying IOSd memory. The rootkit could hide running-config items such as account names, EEM scripts, and ACLs. The rootkit could bypass VTY ACLs and reset the last running-config write timestamp. The rootkit could toggle or delete device logs. The attacks targeted older Linux hosts lacking endpoint detection response, where fileless components could disappear after reboot, yet still enable lateral movement. Trend Research recovered multiple exploit variants for 32-bit and 64-bit platforms. The operation impacted Cisco 9400 series, 9300 series, and legacy 3750G devices. Cisco provided forensic support that helped confirm affected models and assisted the investigation. The attacks involved a Telnet variant used to permit arbitrary memory access.

Open in new tab

Zero-day in Google Chrome exploited in the wild

Google has patched a zero-day vulnerability (CVE-2025-10585) in the Chrome web browser that has been actively exploited in the wild. The vulnerability is a type confusion issue in the V8 JavaScript and WebAssembly engine. The exploit details, actors involved, and the scale of exploitation remain undisclosed. The flaw is the sixth zero-day in Chrome that has been actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. Google has released security updates to address the vulnerability.

Open in new tab

Type Confusion Vulnerabilities in Chrome's V8 Engine Exploited in the Wild

Google has released security updates for Chrome to address a zero-day vulnerability (CVE-2025-13223) in the V8 JavaScript and WebAssembly engine. This type confusion flaw is being actively exploited in the wild, posing a risk to millions of users. The update is available for Windows, macOS, and Linux. Users of other Chromium-based browsers should also apply the fixes as soon as they are available. The flaw was discovered and reported by Clément Lecigne of Google's Threat Analysis Group (TAG) on November 12, 2025. Type confusion vulnerabilities can lead to arbitrary code execution and program crashes. Google has not disclosed specific details about the exploitation to prevent further abuse. This is the seventh zero-day vulnerability in Chrome that has been either actively exploited or demonstrated as a proof-of-concept (PoC) since the start of the year. The list includes CVE-2025-2783, CVE-2025-4664, CVE-2025-5419, CVE-2025-6554, CVE-2025-6558, CVE-2025-10585, and CVE-2025-13223.

Open in new tab

Samsung patches zero-day vulnerability in libimagecodec.quram.so

Samsung has patched a critical remote code execution vulnerability (CVE-2025-21043) in its Android devices running Android 13, 14, 15, or 16. The flaw, discovered in the libimagecodec.quram.so library, was exploited in zero-day attacks targeting Samsung devices. The vulnerability allows attackers to execute arbitrary code remotely due to an out-of-bounds write weakness. Meta and WhatsApp reported the issue, which was also part of a broader exploit campaign involving Apple devices. The exploit was reported to Samsung on August 13, and the patch was released in the September 2025 Security Maintenance Release (SMR). The vulnerability affects Samsung devices using the vulnerable image parsing library, potentially impacting other instant messengers that rely on it.

Open in new tab

Two Android zero-day vulnerabilities exploited in targeted attacks

Google has released security updates for September 2025 to address 111 vulnerabilities in Android, including two zero-day flaws actively exploited in targeted attacks. The vulnerabilities, CVE-2025-38352 and CVE-2025-48543, allow for local privilege escalation without additional execution privileges or user interaction. The updates include two patch levels, 2025-09-01 and 2025-09-05, to provide flexibility for Android partners. The flaws affect the Linux Kernel and Android Runtime components. Google has not disclosed specific details about the attacks but has acknowledged limited, targeted exploitation. Benoît Sevens of Google's Threat Analysis Group (TAG) discovered the Linux Kernel flaw, suggesting it may have been used in targeted spyware attacks. The updates also address several other vulnerabilities, including remote code execution, privilege escalation, information disclosure, and denial-of-service issues in Framework and System components. The September 2025 update covers Android 13 through 16 and includes fixes for 27 Qualcomm components, bringing the total number of fixed flaws to 111. The September 2025 Android patches address 111 unique CVEs. The Linux kernel vulnerability (CVE-2025-38352) is a race condition related to POSIX CPU timers. The Android Runtime zero-day (CVE-2025-48543) is resolved in the 2025-09-01 security patch level. The 2025-09-05 security patch level fixes the Linux kernel bug and 51 other issues affecting various components. Google rolled out Pixel security updates resolving 23 vulnerabilities specific to Pixel devices. All vulnerabilities in the Android bulletin are resolved with updates to Wear OS, Pixel Watch, and Automotive OS.

Open in new tab