CVE-2023-20959 – This vulnerability allows guest users on Androi... (How to Fix)

Q: What is the severity of CVE-2023-20959?

CVE-2023-20959 has a CVSS score of 7.8 (HIGH). This vulnerability allows guest users on Android 13 devices to escalate privileges locally by accessing the AddSupervisedUserActivity without proper permission checks. Attackers could gain elevated privileges without user interaction. Only Android 13 devices are affected.

📋 TL;DR

This vulnerability allows guest users on Android 13 devices to escalate privileges locally by accessing the AddSupervisedUserActivity without proper permission checks. Attackers could gain elevated privileges without user interaction. Only Android 13 devices are affected.

💻 Affected Systems

Products:

Android

Versions: Android 13

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects devices running Android 13. Guest user functionality must be enabled.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Guest user gains administrative control over the device, potentially accessing sensitive data, installing malware, or modifying system settings.

🟠

Likely Case

Guest user gains access to restricted functions or user data they shouldn't have permission to access.

🟢

If Mitigated

Proper permission checks prevent guest users from accessing the supervised user activity, maintaining normal security boundaries.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or local access to the device.

🏢 Internal Only: HIGH - Any guest user with physical access to an Android 13 device could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires guest user access but no additional privileges. No user interaction needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android Security Update March 2023 or later

Vendor Advisory: https://source.android.com/security/bulletin/2023-03-01

Restart Required: Yes

Instructions:

1. Go to Settings > System > System Update. 2. Check for and install the March 2023 Android security update. 3. Restart the device after installation completes.

🔧 Temporary Workarounds

Disable Guest User Mode

android

Prevent exploitation by disabling guest user functionality on the device

Settings > System > Multiple users > Guest > Turn off

🧯 If You Can't Patch

Disable guest user mode on all Android 13 devices
Restrict physical access to devices and implement device management policies

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If it shows Android 13 without March 2023 security patch, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.release

Verify Fix Applied:

Verify Android version is 13 with March 2023 or later security patch in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to AddSupervisedUserActivity
Guest user performing privileged operations

Network Indicators:

None - this is a local exploit

SIEM Query:

Look for guest user activity logs showing access to supervised user functions

📊 Metadata

CVE ID: CVE-2023-20959

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: March 24, 2023

Last Updated: February 21, 2025

🔗 References

https://source.android.com/security/bulletin/2023-03-01 Vendor Advisory
https://source.android.com/security/bulletin/2023-03-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-20959, you might also want to check these: