Full Report
Christmas comes early for attackers this year Two high-severity Android bugs were exploited as zero-days before Google issued a fix, according to its December Android security bulletin. …
Analysis Summary
This summary focuses on the two high-severity zero-day vulnerabilities mentioned, as well as the most critical issues detailed in the December Android Security Bulletin derived from the source text.
# Vulnerability: Exploited Android Framework Zero-Days (December Patch)
## CVE Details
- CVE ID: CVE-2025-48633
- CVSS Score: High (Severity not explicitly stated, but context implies High/Critical)
- CWE: Information Disclosure
- CVE ID: CVE-2025-48572
- CVSS Score: High (Severity not explicitly stated, but context implies High/Critical)
- CWE: Elevation of Privilege
## Affected Systems
- Products: Android Framework Component
- Versions: Patched in the December Android Security Bulletin. (Specific vulnerable versions not detailed in the text)
- Configurations: Standard Android installations.
## Vulnerability Description
**CVE-2025-48633:** An information-disclosure flaw existing within the Android framework component.
**CVE-2025-48572:** An elevation-of-privilege bug also located within the Android framework component that likely allows a local or malicious application to gain higher system privileges.
## Exploitation
- Status: Exploited in the wild (limited, targeted exploitation confirmed by Google)
- Complexity: Assumed Medium to Low, given successful exploitation prior to patch release.
- Attack Vector: Not explicitly detailed, but typical for mobile framework flaws suggests Local or ability via an application install.
## Impact
- Confidentiality: High (For CVE-2025-48633)
- Integrity: High (For CVE-2025-48572, due to privilege escalation)
- Availability: Varies
---
**Note on other critical issues mentioned:** The bulletin also contained 7 critical vulnerabilities, including CVE-2025-48631 (RDoS in Framework) and four kernel EoP bugs (CVE-2025-48623, CVE-2025-48624, CVE-2025-48637, CVE-2025-48638), plus two critical Qualcomm flaws (CVE-2025-47319 - Info Disclosure, CVE-2025-47372 - Critical Buffer Overflow).
---
## Remediation
### Patches
- Patches are available via the December Android Security Bulletin. Users should apply all updates provided by their device manufacturer related to this bulletin.
### Workarounds
- No specific workarounds were detailed in the provided summary for these two zero-days, emphasizing immediate patching.
## Detection
- Detection strategies specifically targeting the two zero-days were not detailed in the source material.
- **General Mitigation:** Immediate system updates are the primary defense line against known exploited vulnerabilities.
## References
- Vendor Advisories: December Android Security Bulletin (2025-12-01)
- Related CVE (Prior Zero-day): CVE-2025-13223 (V8 Engine Type Confusion)