CVE-2025-48588
Unknown
Unknown - Not Provided
BaseFortify
Publication date: 2025-12-08
Last updated on: 2025-12-09
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
In startAlwaysOnVpn of Vpn.java, there is a possible way to disable always-on VPN due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | vpn | 3.1 |
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the startAlwaysOnVpn function of Vpn.java that allows the always-on VPN feature to be disabled unexpectedly. It can be exploited locally without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability could allow a local attacker to disable the always-on VPN, potentially exposing network traffic that was supposed to be protected, leading to a local escalation of privilege without requiring extra permissions.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70