CVE-2024-49732 – This vulnerability in Android's CompanionDevice... (How to Fix)

Q: What is the severity of CVE-2024-49732?

CVE-2024-49732 has a CVSS score of 7.8 (HIGH). This vulnerability in Android's CompanionDeviceManagerService allows local attackers to grant permissions without user consent due to missing permission checks. It enables local privilege escalation without requiring additional execution privileges or user interaction. All Android devices running vulnerable versions are affected.

📋 TL;DR

This vulnerability in Android's CompanionDeviceManagerService allows local attackers to grant permissions without user consent due to missing permission checks. It enables local privilege escalation without requiring additional execution privileges or user interaction. All Android devices running vulnerable versions are affected.

💻 Affected Systems

Products:

Android

Versions: Android versions prior to the January 2025 security update

Operating Systems: Android

Default Config Vulnerable: ⚠️ Yes

Notes: All Android devices with the vulnerable CompanionDeviceManagerService component are affected regardless of configuration.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker with physical or remote access to the device could gain elevated privileges, potentially compromising the entire device, accessing sensitive data, or installing persistent malware.

🟠

Likely Case

Malicious apps could exploit this to gain permissions they shouldn't have, accessing sensitive device functions or user data without detection.

🟢

If Mitigated

With proper security controls and timely patching, the risk is limited to isolated privilege escalation attempts that can be detected and contained.

🌐 Internet-Facing: LOW

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access to the device but no user interaction. The complexity is medium due to the need to understand Android's permission system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android security update from January 2025 or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-01-01

Restart Required: No

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the January 2025 security update or later. 3. Verify the update completed successfully.

🔧 Temporary Workarounds

Disable unnecessary companion device permissions

all

Review and restrict companion device permissions for apps that don't need them

🧯 If You Can't Patch

Implement strict app installation policies to prevent malicious apps from being installed
Use mobile device management (MDM) solutions to monitor for suspicious permission requests

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If it's before the January 2025 security update, the device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify the Android security patch level shows January 2025 or later in Settings > About phone > Android version.

📡 Detection & Monitoring

Log Indicators:

Unusual permission grants in system logs
CompanionDeviceManagerService permission bypass attempts

Network Indicators:

None - this is a local privilege escalation vulnerability

SIEM Query:

Look for events related to permission escalation or CompanionDeviceManagerService anomalies in Android device logs

📊 Metadata

CVE ID: CVE-2024-49732

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-276

EPSS Score: 0.02% exploit probability (5.1th percentile)

Published: January 21, 2025

Last Updated: April 22, 2025

🔗 References

https://source.android.com/security/bulletin/2025-01-01 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-49732, you might also want to check these: