Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution in the context of the affected service account. Depending on the privileges associated with the service account an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Service accounts that are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.
THREAT INTELLIGENCE:
Google indicates limited, targeted exploitation of CVE-2024-43093 & CVE-2024-50302.
SYSTEMS AFFECTED:
- Android OS patch levels prior to 2025-03-05
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. Following the MITRE ATT&CK framework, exploitation of these vulnerabilities can be classified as follows:
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
- Multiple vulnerabilities in System that could allow for remote code execution. (CVE-2025-0074, CVE-2025-0075, CVE-2025-0084, CVE-2025-22403, CVE-2025-22408, CVE-2025-22410, CVE-2025-22411, CVE-2025-22412)
Tactic: Privilege Escalation (TA0004):
Technique: Exploitation for Privilege Escalation (T1068):
- Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2024-0032, CVE-2024-43093, CVE-2025-0078, CVE-2025-0080, CVE-2025-0087)
- Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2025-22409, CVE-2023-21125, CVE-2025-0079, CVE-2025-22404, CVE-2025-22405, CVE-2025-22406)
- A vulnerability in Kernel that could allow for elevation of privilege. (CVE-2024-46852)
Details of lower-severity vulnerabilities are as follows:
- Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2024-43090, CVE-2025-0083, CVE-2025-0086)
- A vulnerability in Framework that could allow for denial of service. (CVE-2024-49740)
- A vulnerability in System that could allow for denial of service. (CVE-2025-0081)
- Multiple vulnerabilities in System that could allow for information disclosure. (CVE-2024-49728, CVE-2025-0082, CVE-2025-0092, CVE-2025-0093, CVE-2025-22407, CVE-2025-26417)
- Multiple vulnerabilities in Kernel that could allow for information disclosure. (CVE-2024-50302, CVE-2025-22413)
- A vulnerability in Google Play system updates. (CVE-2024-43093)
- Multiple vulnerabilities in MediaTek components. (CVE-2025-20645, CVE-2025-20644)
- Multiple vulnerabilities in Qualcomm components. (CVE-2024-49836, CVE-2024-49838, CVE-2024-53014, CVE-2024-53024, CVE-2024-53027)
- Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2024-43051, CVE-2024-53011, CVE-2024-53025)
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
- Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
- Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
- Safeguard 13.10 : Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
- Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
- Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
REFERENCES:
Android:
https://source.android.com/docs/security/bulletin/2025-03-01
CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-0032
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43051
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43090
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-43093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46852
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49728
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49740
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49836
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-49838
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50302
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53011
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53014
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53024
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53025
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-53027
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0074
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0075
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0078
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0079
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0080
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0081
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0082
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0083
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0084
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0086
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0087
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0092
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0093
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20644
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-20645
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22403
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22404
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22405
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22406
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22407
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22408
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22409
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22410
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22411
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22412
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-22413
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-26417