Google Android Framework Vulnerabilities 

Targeted Sectors

·         General Android users

It is suspected that the targets will specifically include the following:

·         Journalists

·         Activists

·         Government officials

Countries

·         Not specified, but exploitation is noted as "limited, targeted".

BLUF

Two zero-day vulnerabilities in the Android framework (an information disclosure flaw and a privilege escalation flaw) are being actively exploited in targeted attacks.

Date of First Reported Activity

·         Prior to December 1, 2025.

Date of Last Reported Activity Update

·         December 1, 2025

CVEs and CVSS Vectors for 3.1

CVE-2025-48633 (Information disclosure)

CVS 3.1 Score and logic

CVSS:4.0 (6.8) AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber

Nessus ID:

·         There is no plugin ID associated with this vulnerability at this time

Is this on the KEV list?

·         Not at this time

Patching / Mitigation

·         hxxps://source.android.com/docs/security/bulletin/2025-12-01

CVS 3.1 Score and logic

CVE-2025-48572 (Improper input validation)

CVS 3.1 Score and logic

CVSS (8.5) 4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

Nessus ID:

·         There is no plugin ID associated with this vulnerability at this time

Is this on the KEV list?

·         Not at this time

Patching / Mitigation

hxxps://source.android.com/docs/security/bulletin/2025-12-01

APT Names

·         No specific APT groups have been named in relation to these two specific CVEs.

Associated Criminal Organization Names

·         None specified

IOCs

·         Not publicly available to prevent wider exploitation.

TTPs

·         Limited information; the flaws allow for information access and privilege escalation within the Android framework. (TTP numbers not available).

Malware Names

·         None specified

Suggested Rules / Potential Hunts

Suricata Rules

·         None publicly available.

Sentinel Rules

·         None publicly available.

Splunk Hunts

·         Generic Splunk scenarios for detecting zero-day activity exist, but specific hunts for these CVEs are not public.

Delivery Method

·         Specifics of the exploit chain not disclosed, likely involving a user action like visiting a malicious website or opening a malicious message.

Email Samples

·         Not available

References

Android Security Bulletin (December 2025): source.android.com

CISA Known Exploited Vulnerabilities (KEV) Catalog: 

·         hxxps://www.cisa.gov/known-exploited-vulnerabilities-catalog

CVE-2025-48572 Malwarebytes blog

·         hxxps://www.malwarebytes.com/blog/news/2025/12/google-patches-107-android-flaws

The Hacker News

·         hxxps://thehackernews.com/2025/12/google-patches-107-android-flaws.html 

CyberSecurity Help

·         hxxps://www.cybersecurity-help.cz/vdb/SB2025120164

Android Bulletin

·         hxxps://source.android.com/docs/security/bulletin/2025-12-01