Logic Error in Android Device Policy Manager Service Allows Unauthorized Device Owner Addition
CVE-2025-48633
Key Information:
Badges
What is CVE-2025-48633?
CVE-2025-48633 is a significant vulnerability identified in the Android Device Policy Manager Service, developed by Google. This flaw arises from a logic error in the hasAccountsOnAnyUser function within the DevicePolicyManagerService.java file. The vulnerability allows for unauthorized addition of a Device Owner after the provisioning process—an action that typically requires escalated privileges. The implication of this vulnerability is serious, as it potentially enables local escalation of privileges without any need for additional permissions or user interaction, placing organizations at risk of unauthorized control over devices. Given that the Device Policy Manager is crucial for managing device policies and security configurations in an enterprise, this vulnerability could lead to considerable disruptions and security lapses.
Potential impact of CVE-2025-48633
-
Unauthorized Device Control: The primary risk posed by this vulnerability is the ability of malicious actors to gain unauthorized control of devices. This could allow them to manipulate device settings, install unapproved applications, or exfiltrate sensitive data.
-
Escalation of Privileges: Since the vulnerability permits unauthorized addition of a Device Owner, it effectively allows an attacker to elevate their privileges within the system. This escalation could lead to further security breaches, as compromised administrators can exert control over a wide array of enterprise resources.
-
Data Breach Risk: Exploitation of this vulnerability could lead to significant data breaches, particularly in environments where sensitive information is managed on Android devices. Confidential employee data, client information, and proprietary corporate data could be exposed, leading to compliance violations and financial repercussions for affected organizations.
CISA has reported CVE-2025-48633
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2025-48633 as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Android 16
Android 15
Android 14
News Articles
CVE-2025-48633 and CVE-2025-48572: Android Framework Information Disclosure and Privilege Escalation Vulnerabilities Exploited in the Wild | SOC Prime
Explore details for CVE-2025-48633 and CVE-2025-48572, high-severity Android Framework vulnerabilities, with a deep analysis on our SOC Prime blog.
4 weeks ago
Help Net SecurityGoogle fixes Android vulnerabilities "under targeted exploitation" (CVE-2025-48633, CVE-2025-48572) - Help Net Security
Google patches Android vulnerabilities, including CVE-2025-48633 and CVE-2025-48572, which "may be under limited, targeted exploitation".
1 month ago
CybersecurityNewsCISA Warns of Android 0-Day Vulnerability Exploited in Attacks
CISA added two major Android Framework flaws to its Known Exploited Vulnerabilities list, showing they’re already being used in real attacks.
1 month ago
References
CVSS V3.1
Timeline
Vulnerability published
- 👾
Exploit known to exist
- 🦅
CISA Reported
- 📰
First article discovered by Cyber Press
Vulnerability Reserved