Which zero-day vulnerabilities are being actively exploited in Android devices?

Two zero-day vulnerabilities are actively exploited: CVE-2025-38352 (CVSS score 7.4), a local privilege escalation vulnerability in the Linux Kernel time subsystem affecting Android Runtime; and CVE-2025-48543, an elevation of privilege flaw in Android Runtime (ART) component present in Android versions 13 through 16 that allows local privilege escalation without user interaction.

What is the most critical vulnerability in the September 2025 Android bulletin?

CVE-2025-48539 is a critical remote code execution vulnerability in the System component that enables remote (proximal/adjacent) code execution with no additional execution privileges needed and requires no user interaction for exploitation. This vulnerability affects Android versions 15 and 16 and represents the most serious threat due to its remote exploitation capability.

How does CVE-2025-38352 affect Android devices?

CVE-2025-38352 is a local privilege escalation vulnerability in the Linux Kernel time subsystem affecting the Android Runtime component. Exploitation requires local access, likely through a malicious app or shell, but grants attackers elevated privileges once successful. The vulnerability is linked to upstream kernel issues and has a CVSS score of 7.4.

What Qualcomm vulnerabilities are included in the Android September 2025 security update?

Three critical vulnerabilities were found in Qualcomm's closed-source components: CVE-2025-21450 (CVSS score 9.1), CVE-2025-21483, and CVE-2025-27034. Google does not disclose full details about these Qualcomm vulnerabilities due to their closed-source nature, but all are classified as critical severity.

Which Android versions are affected by the actively exploited vulnerabilities?

CVE-2025-48543 affects Android versions 13 through 16, while CVE-2025-48539 affects Android versions 15 and 16. CVE-2025-38352 affects the Android Runtime component across multiple versions. The widespread version impact makes these updates critical for a large number of Android devices.

How urgent is it to install the September 2025 Android security update?

Security experts strongly recommend immediate deployment of this update as soon as phone vendors release the patched version for their respective models. The urgency is due to active exploitation of two zero-day vulnerabilities and the critical nature of the remote code execution flaw that requires no user interaction.

Can CVE-2025-48543 be exploited without user interaction?

Yes, CVE-2025-48543 allows local escalation of privileges without any user interaction, enabling attackers to bypass app sandboxing or gain system-level access on compromised devices. This means a malicious app could potentially bypass sandbox restrictions and access higher-level system capabilities without the user being aware.

What makes CVE-2025-48539 particularly dangerous for Android users?

CVE-2025-48539 is particularly dangerous because it enables remote (proximal/adjacent) code execution with no additional execution privileges needed and requires no user interaction for exploitation. This means attackers within proximity could potentially compromise devices without the user doing anything, making it a significant threat to device security.

How can Android users protect themselves from these actively exploited vulnerabilities?

Users should install the September 2025 Android security update immediately when it becomes available from their device manufacturer, enable automatic security updates if available, avoid installing apps from untrusted sources, be cautious about granting unnecessary permissions to apps, and consider using additional security measures like mobile device management solutions for enterprise devices. Given the active exploitation, prompt updating is the most critical protection measure.

Advisory

Google releases September 2025 Android update, fixes over 80 vulnerabilities, two actively exploited

Q: What vulnerabilities are addressed in the Android Security Bulletin for September 2025?

Google's Android Security Bulletin for September 2025 addresses 84 vulnerabilities distributed across various Android subsystems including Framework, System, Kernel, and third-party components from manufacturers like ARM, MediaTek, Imagination Technologies, and Qualcomm. The update includes patches for two zero-day vulnerabilities that are actively being exploited in targeted attacks.

published: Sept. 3, 2025

Take action: This advisory creates a very weird situation - it's urgent because it patches actively exploited flaws, but most users can't rush the patch because their vendors may not have released an updated version of Android for their devices. Be aware that you shouldn't delay the update to your Android when the notification arrives on your phone.

Learn More

Google has released the Android Security Bulletin for September 2025, addressing 84 vulnerabilities. The security update includes patches for two zero-day vulnerabilities actively exploited in targeted attacks. The 84 vulnerabilities are distributed across various Android subsystems including Framework, System, Kernel, and third-party components from manufacturers like ARM, MediaTek, Imagination Technologies, and Qualcomm.

Actively exploited vulnerabilities

CVE-2025-38352 (CVSS score 7.4) - A local privilege escalation vulnerability in the Linux Kernel time subsystem. This flaw affects the Android Runtime component and has been linked to upstream kernel issues. Exploitation would require local access, likely through a malicious app or shell, but would grant attackers elevated privileges once successful.
CVE-2025-48543 (CVSS score not assigned) - Elevation of privilege flaw in the Android Runtime (ART) component. Present in Android versions 13 through 16, this vulnerability allows local escalation of privileges without any user interaction, enabling attackers to bypass app sandboxing or gain system-level access on compromised devices. It potentially allows a malicious app to bypass sandbox restrictions and access higher-level system capabilities.

Critical flaw

CVE-2025-48539 (CVSS score not assigned) - remote code execution vulnerability in the System component. It enables remote (proximal/adjacent) code execution with no additional execution privileges needed and requires no user interaction for exploitation. This vulnerability affects Android versions 15 and 16.

Three other critical vulnerabilities were found in Qualcomm's closed-source components, though Google does not disclose full details:

CVE-2025-21450 (CVSS score 9.1) - Critical severity flaw in Qualcomm closed-source component
CVE-2025-21483 (CVSS score not assigned) - Critical severity flaw in Qualcomm closed-source component
CVE-2025-27034 (CVSS score not assigned) - Critical severity flaw in Qualcomm closed-source component

Given the active exploitation of two zero-day vulnerabilities and the critical nature of the remote code execution flaw, security experts strongly recommend immediate deployment of this update as soon as the phone vendors release the patched version for their respective models.

Google releases September 2025 Android update, fixes over 80 vulnerabilities, two actively exploited

Read More
Critical authentication bypass flaw reported in ASUS Routers …
MediaTek reports multiple vulnerabilities, two classified as critical
WhatsApp users targeted in account takeover attack dubbed …
Service-Side prompt injection еxfiltration vulnerability reported in ChatGPT's …
Qualcomm patches actively exploited flaw in DSP Service …