Login Sign Up

CVE-2024-43769

7.8 HIGH

📋 TL;DR

This vulnerability in Android's PackageManagerService allows local privilege escalation by preventing the uninstallation of CloudDpc (Device Policy Controller) due to a logic error. Attackers could exploit this to gain elevated privileges without user interaction. Affects Android devices with vulnerable versions of the framework.

💻 Affected Systems

Products:
  • Android
Versions: Specific Android versions mentioned in the December 2024 security bulletin
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects devices using the vulnerable framework code. CloudDpc is part of Android's enterprise management features.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker gains persistent administrative control over the device, allowing them to install malicious apps, access sensitive data, or disable security controls.

🟠

Likely Case

Malicious apps could abuse this to prevent their own removal and maintain persistence with elevated privileges.

🟢

If Mitigated

With proper patching, the logic error is corrected and CloudDpc can be properly managed/uninstalled.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or app-based access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with device access could exploit this to gain persistent elevated privileges.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires local access and understanding of Android framework internals. No user interaction needed for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security patch level December 2024 or later

Vendor Advisory: https://source.android.com/security/bulletin/2024-12-01

Restart Required: No

Instructions:

1. Apply the December 2024 Android security patch. 2. Update affected devices through standard Android update channels. 3. Verify patch installation in device settings.

🔧 Temporary Workarounds

Disable CloudDpc if not needed

Android

If enterprise device management features are not required, disable CloudDpc to reduce attack surface.

Go to Settings > Security > Device admin apps > Disable CloudDpc

🧯 If You Can't Patch

  • Restrict physical access to vulnerable devices
  • Implement strict app installation policies and monitor for suspicious apps

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version. If before December 2024, device may be vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch level shows December 2024 or later. Test CloudDpc uninstallation functionality.

📡 Detection & Monitoring

Log Indicators:

  • Failed uninstallation attempts of CloudDpc
  • Unexpected DeviceAdmin activation events

Network Indicators:

  • None - this is a local privilege escalation

SIEM Query:

Search for DeviceAdmin policy changes or failed package removal events in Android device logs

📊 Metadata

CVE ID: CVE-2024-43769
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-276
EPSS Score: 0.04% exploit probability (10th percentile)
Published: January 3, 2025
Last Updated: April 21, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43769, you might also want to check these:

CVE-2025-40585 9.9

Energy Services solutions using G5DFR contain default credentials, allowing attackers to gain contro...

Same vulnerability type (CWE-276)
CVE-2023-47462 9.8

This vulnerability allows remote attackers to execute arbitrary code on GL.iNet AX1800 routers by ex...

Same vulnerability type (CWE-276)
CVE-2022-41572 9.8

CVE-2022-41572 is a privilege escalation vulnerability in EyesOfNetwork (EON) where nmap can be exec...

Same vulnerability type (CWE-276)