Google’s September 2025 Android Security Bulletin addresses over 80 vulnerabilities, including two actively exploited zero-day flaws and three critical issues, with the most severe allowing remote code execution (RCE) on unpatched devices without requiring user interaction.
The Android security team published the bulletin on September 2, 2025, following its standard disclosure practice of notifying partners at least a month prior. Patches are provided through two patch levels, 2025-09-01 and 2025-09-05, with the latter addressing all issues in the update. The most severe vulnerability is a critical RCE flaw in the System component (CVE-2025-48539), which could be exploited over proximity-based communication channels (like Wi-Fi or Bluetooth) without requiring any user interaction or elevated privileges.
Actively exploited flaws
Two vulnerabilities are currently under limited, targeted exploitation in the wild, suggesting these are high-priority flaws for both attackers and defenders:
CVE-2025-38352 – A high-severity local privilege escalation (EoP) vulnerability in the Linux kernel time subsystem. Exploitation would require local access, likely through a malicious app or shell, but would grant attackers elevated privileges once successful.
CVE-2025-48543 – Another high-severity EoP flaw, this time in the Android Runtime (ART) component. Present in Android versions 13 through 16, this vulnerability allows local escalation of privileges without any user interaction, enabling attackers to bypass app sandboxing or gain system-level access on compromised devices.
Both zero-days are already being used in targeted attacks, which highlights the urgency of applying the latest patches.
Critical RCE in Android system
The most dangerous flaw fixed this month is:
CVE-2025-48539 – A critical RCE vulnerability in the System component. This bug enables remote code execution via proximal communication interfaces, such as Bluetooth, NFC, or Wi-Fi Direct, without requiring user interaction or special permissions. The vulnerability impacts Android versions 15 and 16 and could be exploited by attackers in physical proximity to the target device, such as in public spaces or conference settings.
This class of vulnerability is particularly concerning as it can be weaponized into wormable exploits or used in silent device compromises, especially in targeted espionage campaigns.
Three other critical vulnerabilities were found in Qualcomm’s closed-source components, though Google does not disclose full details. The issues, tracked under CVE-2025-21450, CVE-2025-21483, and CVE-2025-27034, are tagged as critical by Qualcomm, which suggests they may allow remote code execution or full device compromise within the chipset or baseband firmware. These components operate at a low level and can pose significant risks to device integrity and user privacy when exploited.
Android users should ensure their devices are patched to the 2025-09-05 security level or later to receive complete protection. Users can check their current patch level and apply the update via Settings > Security and privacy > System and updates > Security update.
Leave a Reply