CVE-2025-48633
BaseFortify
Publication date: 2025-12-08
Last updated on: 2025-12-09
Assigner: Android (associated with Google Inc. or Open Handset Alliance)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| android | 13.0 | |
| android | 14.0 | |
| android | 15.0 | |
| android | 16.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a logic error in the hasAccountsOnAnyUser function of DevicePolicyManagerService.java that allows an attacker to add a Device Owner after device provisioning. This can be exploited locally without needing any additional execution privileges or user interaction.
How can this vulnerability impact me? :
The vulnerability can lead to local escalation of privilege, meaning an attacker with local access could gain higher privileges on the device than intended, potentially compromising device security and control.
What immediate steps should I take to mitigate this vulnerability?
Apply the security patch that includes the fix committed on September 16, 2025, which addresses the vulnerability in DevicePolicyManagerService. Ensure your Android device is updated to the latest security patch level that contains this fix, as described in the Android framework base repository update. Keeping your device updated with the latest security patches is the recommended immediate mitigation step. [2]