Login Sign Up

CVE-2024-49728

5.5 MEDIUM

📋 TL;DR

This vulnerability allows a malicious app on an Android device to access media files from other user profiles without permission. It affects Android devices with multiple user profiles enabled. No user interaction is required for exploitation.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to the April 2025 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Requires multiple user profiles to be enabled on the device for cross-user impact.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could access sensitive photos, videos, or documents from other user profiles on the same device, potentially exposing personal or confidential information.

🟠

Likely Case

Malicious apps could silently exfiltrate media files from other user profiles, compromising privacy but not system integrity.

🟢

If Mitigated

With proper app sandboxing and user profile isolation, impact is limited to media file disclosure within the device.

🌐 Internet-Facing: LOW - This is a local vulnerability requiring app installation on the device.
🏢 Internal Only: MEDIUM - Malicious apps could exploit this to access data across user profiles on shared devices.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires a malicious app to be installed on the device with Bluetooth file transfer permissions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2025 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-04-01

Restart Required: No

Instructions:

1. Go to Settings > System > System update. 2. Check for and install the April 2025 security patch. 3. Verify the patch is applied in Settings > About phone > Android security patch level.

🔧 Temporary Workarounds

Disable Bluetooth File Transfer

Android

Prevent Bluetooth file transfer functionality that could be exploited

Restrict App Permissions

Android

Review and restrict Bluetooth permissions for untrusted apps

🧯 If You Can't Patch

  • Disable multiple user profiles on shared devices
  • Use device management policies to restrict Bluetooth file transfer capabilities

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone. If before April 2025, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level shows April 2025 or later in Settings > About phone.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Bluetooth file transfer activity between user profiles
  • Apps requesting Bluetooth permissions abnormally

Network Indicators:

  • Local Bluetooth file transfers between different user contexts

SIEM Query:

source="android_logs" AND (event="bluetooth_file_transfer" AND target_user!=current_user)

📊 Metadata

CVE ID: CVE-2024-49728
CVSS v3 Score: 5.5 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-610
EPSS Score: 0.01% exploit probability (0.3th percentile)
Published: September 2, 2025
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49728, you might also want to check these:

CVE-2025-22144 9.8

This vulnerability in NamelessMC allows attackers with admincp.core.emails or admincp.users.edit per...

Same vulnerability type (CWE-610)
CVE-2021-44041 9.8

This vulnerability in UiPath Assistant allows attackers to execute arbitrary code or capture NTLM cr...

Same vulnerability type (CWE-610)
CVE-2021-41244 9.1

This vulnerability in Grafana allows organization administrators to access and modify users in other...

Same vulnerability type (CWE-610)