Login Sign Up

CVE-2025-0087

5.1 MEDIUM

📋 TL;DR

This vulnerability allows a malicious app to uninstall apps belonging to other users on the same Android device without proper permission checks. It affects Android devices with multiple user profiles where the attacker has local access. Exploitation requires no user interaction and can lead to privilege escalation.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to the May 2025 security update
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices with multiple user profiles enabled. Single-user devices are not vulnerable.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could uninstall critical system apps or security software, potentially disabling device protection mechanisms and enabling further attacks.

🟠

Likely Case

Malicious app removes competing apps or security tools from other user profiles, causing data loss and service disruption.

🟢

If Mitigated

With proper app sandboxing and user profile isolation, impact is limited to non-critical apps in the same user profile.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or local app access.
🏢 Internal Only: MEDIUM - In multi-user Android environments (corporate devices, shared tablets), this could allow one user to disrupt another's apps.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires a malicious app to be installed on the device. No authentication bypass needed once app is installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Android May 2025 security update

Vendor Advisory: https://source.android.com/security/bulletin/2025-05-01

Restart Required: No

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the May 2025 security update. 3. No device restart required after update installation.

🔧 Temporary Workarounds

Disable multiple user profiles

Android

Remove additional user profiles to eliminate the attack surface

Settings > System > Multiple users > Remove all additional users

Restrict app installations

Android

Only allow app installations from trusted sources like Google Play Store

Settings > Security > Install unknown apps > Disable for all apps

🧯 If You Can't Patch

  • Monitor for unexpected app uninstallations across user profiles
  • Implement mobile device management (MDM) to control app installations and user profile creation

🔍 How to Verify

Check if Vulnerable:

Check Android version in Settings > About phone > Android version. If before May 2025 security update and multiple users exist, device is vulnerable.

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify Android security patch level is May 2025 or later in Settings > About phone > Android security update.

📡 Detection & Monitoring

Log Indicators:

  • PackageManager logs showing app uninstallations from different user IDs
  • Security logs showing permission denial attempts for UNINSTALL_PACKAGES

Network Indicators:

  • None - this is a local attack

SIEM Query:

source="android_system" AND "PackageManager" AND "UNINSTALL" AND user_id!="current_user"

📊 Metadata

CVE ID: CVE-2025-0087
CVSS v3 Score: 5.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L
CWE: CWE-689
EPSS Score: 0.01% exploit probability (0.5th percentile)
Published: September 4, 2025
Last Updated: September 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON