CVE-2025-48572 & 48633 - Android Zero-Days in KEV

CVE-2025-48572 and CVE-2025-48633 affect the Android Framework component and have been patched as high-severity zero-day vulnerabilities exploited in the wild, mapped to MITRE ATT&CK techniques T1068 and T1203. CVE-2025-48572 is an elevation-of-privilege flaw while CVE-2025-48633 is an information-disclosure bug. Google's December security bulletin includes 107 total fixes, highlighting ongoing targeted exploitation chains used for device compromise. The update also includes critical fixes like CVE-2025-48631, capable of remote denial of service with no privileges required. Attackers likely chain framework privilege-escalation and information-leak vulnerabilities with app or browser exploits to escape sandboxes. Since these flaws reside in the Android Framework, exploitation can occur via benign-looking apps or silent background components, making user awareness insufficient. Federal and private organizations face heightened risk where mobile devices access sensitive business systems. Business impact includes credential theft, covert surveillance, and unauthorized access to SaaS applications, potentially violating GDPR or HIPAA. CISA added the flaws to the Known Exploited Vulnerabilities list and mandated patching by December 23, 2025, confirming active exploitation. Mitigation requires urgent installation of the December Android update, enforcing MDM-controlled patch compliance, restricting sideloading, and treating unpatched devices as high risk. Enterprises should apply zero-trust controls, monitor for signs of spyware, and restrict access from outdated devices.