Full Report
Google has released its monthly Android Security Bulletin for March 2025 to address a total of 44 vulnerabilities, including two that it said have come under active exploitation in the wild. The two high-severity vulnerabilities are listed below - CVE-2024-43093 - A privilege escalation flaw in the Framework component that could result in unauthorized access to "Android/data," "Android/obb,"
Analysis Summary
# Vulnerability: Actively Exploited Privilege Escalation Flaws in March 2025 Android Security Bulletin
## CVE Details
- CVE ID: CVE-2024-43093, CVE-2024-50302
- CVSS Score: Not explicitly listed, but both designated as high-severity flaws under active exploitation.
- CWE: Not explicitly listed for either, but the descriptions imply **CWE-264 (Permissions, Privileges, and Access Controls)** issues (Privilege Escalation).
## Affected Systems
- Products: Android OS (Framework component and Linux kernel HID USB component)
- Versions: Affected versions are covered by the March 2025 Android Security Bulletin provided by Google. Specific versions are not detailed in the summary but are included in the cumulative updates.
- Configurations: Not specified, but affects devices running vulnerable Android builds prior to the March 2025 patches.
## Vulnerability Description
Two vulnerabilities have been actively exploited in the wild and addressed in the March 2025 update:
1. **CVE-2024-43093 (Framework):** A privilege escalation flaw in the Android Framework component. Successful exploitation allows an attacker to gain unauthorized access to sensitive directories: `Android/data`, `Android/obb`, and `Android/sandbox`, including their sub-directories. (This vulnerability was previously flagged for active exploitation in November 2024).
2. **CVE-2024-50302 (Linux Kernel):** A privilege escalation flaw in the HID USB component of the Linux kernel. This can lead to a leak of uninitialized kernel memory to a local attacker via specially crafted HID reports. This vulnerability was part of a chain used in an exploit discovered targeting a Serbian activist.
## Exploitation
- Status: **Actively Exploited in the wild** ("limited, targeted exploitation" acknowledged by Google).
- Complexity: Implied **Low to Medium** given the success in targeted attacks.
- Attack Vector:
- CVE-2024-43093: Likely remote or local, leading to file system access.
- CVE-2024-50302: **Local** (requires physical or local access via specially crafted HID reports).
## Impact
- Confidentiality: **High** (Unauthorized access to sensitive application data directories via CVE-2024-43093; kernel memory leak possible via CVE-2024-50302).
- Integrity: **High** (Privilege escalation achieved).
- Availability: Not explicitly detailed, but privilege escalation often carries high impact across other pillars.
## Remediation
### Patches
Google released patches via the March 2025 Android Security Bulletin, distributed through two security patch levels:
- **2025-03-01**
- **2025-03-05**
Affected partners should implement and deploy device builds incorporating these patch levels.
### Workarounds
No specific workarounds are detailed in the provided summary, as immediate patching is advised due to active exploitation.
## Detection
- Indicators of Compromise (IOC): Not specified, but monitoring for attempts to access or read data under `/data`, `/obb`, and `/sandbox` directories without proper authorization (related to CVE-2024-43093) should be prioritized.
- Detection methods and tools: Standard kernel monitoring tools for unusual memory access patterns or specific calls related to HID input processing might offer detection capabilities for CVE-2024-50302. Exploitation attempts related to CVE-2024-50302 utilized a chain involving CVE-2024-53104 and CVE-2024-53197 (which were patched previously).
## References
- Vendor Advisories: Google's March 2025 Android Security Bulletin ([source location defanged](https://source.android.com/docs/security/bulletin/2025-03-01))
- Relevant links:
- Information on CVE-2024-43093 fix ([defanged](https://android.googlesource.com/platform/frameworks/base/+/7f83c671626f9bf993581f4598c22482d87cba10))
- Information on CVE-2024-50302 fix ([defanged](https://android.googlesource.com/kernel/common/+/f02dd268a08d4e7ec09ec0ddd2a861ab5a51a0ae))
- Previous mention of CVE-2024-43093 exploitation ([defanged](https://thehackernews.com/2024/11/google-warns-of-actively-exploited-cve.html))
- Cellebrite use of CVE-2024-50302 in exploit chain ([defanged](https://thehackernews.com/2025/02/amnesty-finds-cellebrites-zero-day.html))