CVE-2025-48572 & CVE-2025-48633 Update

Lookout Coverage and Recommendation for Admins

As a Lookout customer, your primary action is to ensure all managed Android devices are immediately updated to a patched version to mitigate these active threats. Lookout admins should ensure all users are protected through the following steps:

Endpoint Detection: Enable Lookout’s Out-of-date OS policy, as our system can detect when devices are running an out-of-date Android Security Patch Levels (ASPLs), flagging them as vulnerable.
Threat Prevention: Enable Lookout Phishing & Content Protection (PCP) to protect mobile users from malicious phishing campaigns that deliver exploit URLs.
Risk Management: Continuously monitor device status, as vulnerabilities like these can grant attackers broad access and lead to data leakage for enterprise organizations.

Overview

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released guidance on CVE-2025-48572 and CVE-2025-48633, which are two high-severity zero-day flaws. These critical vulnerabilities reside in the Android Framework component, which is the set of core software components, libraries, and APIs developers use to build and manage Android applications.

CVE-2025-48572 is an Elevation of Privilege (EoP) vulnerability that can allow a local attacker, via a malicious app, to gain higher-than-intended privileges, potentially achieving administrative control and bypassing the standard Android security model. In addition, CVE-2025-48633 is an Information Disclosure vulnerability. This flaw could allow an Android application to access sensitive information that should be confined to another component or privilege boundary.

These two vulnerabilities, which affect Android 13 through 16, are often used together in a typical, sophisticated attack chain:

Gaining Initial Access (Vector): The user is tricked into installing a malicious app via an unofficial marketplace or a phishing or smishing link.
Information Disclosure (CVE-2025-48633): The malicious app first exploits this flaw to gather sensitive data, such as tokens or keys, from the Android Framework.
Privilege Escalation (CVE-2025-48572): Using the gathered information, the attacker exploits this EoP flaw to gain escalated privileges, allowing them to install persistent malware (e.g., spyware), disable security controls, and achieve persistent device access.

CISA has added these vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that they have been actively exploited in the wild. These CVEs are patched by applying the December 5, 2025 Security Patch Level or a later update.

United States government organizations are required to have all vulnerable devices patched by December 23, 2025. While this patching requirement is mandatory only for U.S. government organizations, CISA’s guidance should be considered a critical source of information and a call to action for all enterprise organizations. All organizations should apply the patches immediately to mitigate the threat posed by these actively exploited zero-days.

Lookout Analysis

What is most concerning about these vulnerabilities is their high severity and active exploitation in targeted attacks. They allow an attacker to gain administrative control and steal sensitive data. They are highly critical zero-day flaws that are typically chained with other vulnerabilities, sometimes requiring the target to install a malicious app or click a phishing link for initial compromise.

Without visibility into vulnerable devices across your mobile fleet, your organization and its data could be exposed to threats like this. To feed data and more into your SIEM, SOAR, EDR, or XDR, be sure to integrate Lookout with those tools via the Mobile Intelligence APIs. You can learn how to set up those APIs in this interactive demo.