Critical Android Zero-Days Actively Exploited in Real-World Attacks
Google has released the December 2025 Android Security Bulletin, addressing over 100 security issues across the platform. Two Android Framework zero-day vulnerabilities — CVE-2025-48633 and CVE-2025-48572 — are confirmed to be under active, targeted exploitation.
CVE-2025-48633 allows malicious apps to access sensitive information.
CVE-2025-48572 enables privilege escalation on vulnerable devices.
Google shipped fixes under patch levels 2025-12-01 and 2025-12-05. Shortly after publication, CISA added both vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming real-world use and enforcing patch deadlines for federal agencies.
Why it matters
Android devices often provide access to corporate email, VPN, MDM-managed systems and sensitive applications. A compromised device may serve as an entry point into the wider enterprise environment — especially when the zero-day is known to be actively exploited by targeted campaigns.
Recommended actions
Deploy the December patches immediately.
Review and enforce MDM policies.
Restrict sensitive access from unpatched devices.
Strengthen monitoring for anomalous mobile authentication events.
DIAMATIX Perspective
Mobile devices must be treated as first-class components of the attack surface. Zero-days in Android highlight the need for:
identity and device correlation within Shield SIEM/XDR;
continuous monitoring by MDR 360°;
early detection of unusual access patterns and compromised identities.
Sources
SecurityWeek — Android December 2025 Zero-Day Coverage
BleepingComputer — Actively Exploited Android Zero-Days Fixed in December Update
Ready to go further?
Experience how continuous detection and response enhance compliance in action with MDR 360°.
→ Request MDR 360° Demo
