THREAT INTELLIGENCE:
Google reports that CVE-2025-27363 is reportedly under limited, targeted exploitation.
SYSTEMS AFFECTED:
-
Android OS security patch levels issued prior to May 5, 2025.
RISK:
Government:
-
Large and medium government entities: High
-
Small government entities: High
Businesses:
-
Large and medium business entities: High
-
Small business entities: High
Home users: Low
TECHNICAL SUMMARY:
Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for remote code execution with no additional execution privileges needed. According to the MITRE ATT&CK framework, these vulnerabilities can be classified as follows:
Tactic: Execution (TA0002):
Technique: Exploitation for Client Execution (T1203):
-
A vulnerability in System that could allow for remote code execution. (CVE-2025-27363)
Tactic: Privilege Escalation (TA0004):
Technique: Exploitation for Privilege Escalation (T1068):
-
Multiple vulnerabilities in Framework that could allow for elevation of privilege. (CVE-2023-21342, CVE-2024-34739, CVE-2025-0077, CVE-2025-0087, CVE-2025-22425, CVE-2025-26422, CVE-2025-26426, CVE-2025-26427, CVE-2025-26428, CVE-2025-26436, CVE-2025-26440, CVE-2025-26444)
-
Multiple vulnerabilities in System that could allow for elevation of privilege. (CVE-2025-26420, CVE-2025-26421, CVE-2025-26423, CVE-2025-26425, CVE-2025-26430, CVE-2025-26435, CVE-2025-26438)
Details of lower-severity vulnerabilities are as follows:
-
Multiple vulnerabilities in Framework that could allow for information disclosure. (CVE-2025-26424, CVE-2025-26442)
-
A vulnerability in Framework that could allow for denial of service. (CVE-2025-26429)
-
A vulnerability in System that could allow for information disclosure. (CVE-2023-35657)
-
Multiple vulnerabilities in Google Play system updates (CVE-2025-26427, CVE-2025-26420, CVE-2025-26423)
-
A vulnerability in Imagination Technologies. (CVE-2024-49739)
-
Multiple vulnerabilities in Arm components. (CVE-2025-0072, CVE-2025-0427)
-
Multiple vulnerabilities in Imagination Technologies. (CVE-2024-12577, CVE-2024-46974, CVE-2024-46975, CVE-2024-47891, CVE-2024-47896, CVE-2024-47900, CVE-2024-52939)
-
A vulnerability in MediaTek components. (CVE-2025-20666)
-
Multiple vulnerabilities in Qualcomm components. (CVE-2024-45580, CVE-2025-21453, CVE-2025-21459, CVE-2025-21467, CVE-2025-21468)
-
Multiple vulnerabilities in Qualcomm closed-source components. (CVE-2024-49835, CVE-2024-49841, CVE-2024-49842, CVE-2024-49845, CVE-2024-49846, CVE-2024-49847)
RECOMMENDATIONS:
We recommend the following actions be taken:
-
Apply appropriate mitigations provided by Google to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
-
Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
-
Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
-
Safeguard 7.5: Perform Automated Vulnerability Scans of Internal Enterprise Assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly, or more frequent, basis. Conduct both authenticated and unauthenticated scans, using a SCAP-compliant vulnerability scanning tool.
-
-
Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring. (M1050: Exploit Protection)
-
Safeguard 10.5: Enable Anti-Exploitation Features: Enable anti-exploitation features on enterprise assets and software, where possible, such as Apple® System Integrity Protection (SIP) and Gatekeeper™.
-
Safeguard 13.10: Perform Application Layer Filtering: Perform application layer filtering. Example implementations include a filtering proxy, application layer firewall, or gateway.
-
-
Restrict execution of code to a virtual environment on or in transit to an endpoint system. (M1048: Application Isolation and Sandboxing)
-
Safeguard 16.8: Separate Production and Non-Production Systems: Maintain separate environments for production and non-production systems.
-
REFERENCES:
CVE: https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2023-<wbr />21342 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2023-<wbr />35657 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />12577 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />34739 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />45580 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />46974 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />46975 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />47891 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />47896 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />47900 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49739 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49835 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49841 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49842 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49845 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49846 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />49847 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2024-<wbr />52939 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-0072 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-0077 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-0087 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-0427 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />20666 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />21453 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />21459 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />21467 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />21468 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />22425 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />26420 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />26421 https://cve.mitre.org/cgi-bin/<wbr />cvename.cgi?name=CVE-2025-<wbr />26422
