Login Sign Up

CVE-2025-22433

7.8 HIGH

📋 TL;DR

This vulnerability allows an attacker to bypass cross-profile intent filters in Android's Work Profile feature, enabling local privilege escalation without user interaction. It affects Android devices using Work Profile functionality, potentially allowing malicious apps to access restricted data or perform unauthorized actions across profile boundaries.

💻 Affected Systems

Products:
  • Android
Versions: Android versions prior to the April 2025 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects devices using Android's Work Profile feature. Personal devices without Work Profile configured are not vulnerable.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Work Profile isolation, allowing malicious apps to access corporate data, install additional payloads, or perform actions with elevated privileges across profile boundaries.

🟠

Likely Case

Limited data exfiltration from Work Profile to personal profile, or unauthorized actions within the Work Profile context by malicious personal apps.

🟢

If Mitigated

Minimal impact if proper app vetting and mobile device management controls are in place to detect and block malicious applications.

🌐 Internet-Facing: LOW - This is a local privilege escalation vulnerability requiring local access to the device.
🏢 Internal Only: HIGH - Exploitable by any malicious app installed on the device, potentially compromising Work Profile security and corporate data.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires a malicious app to be installed on the device, but no user interaction or special permissions are needed once installed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: April 2025 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-04-01

Restart Required: Yes

Instructions:

1. Check for Android system updates in Settings > System > System update. 2. Install the April 2025 security patch or later. 3. Restart the device after installation.

🔧 Temporary Workarounds

Disable Work Profile

android

Remove Work Profile functionality to eliminate the attack surface

Settings > Accounts > Work Profile > Remove work profile

Restrict App Installations

all

Use mobile device management (MDM) to block installation of unknown apps

🧯 If You Can't Patch

  • Implement strict app vetting policies to prevent installation of potentially malicious applications
  • Use mobile threat defense solutions to detect and block exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > About phone > Android version > Android security update

Check Version:

adb shell getprop ro.build.version.security_patch

Verify Fix Applied:

Verify security patch date is April 2025 or later in Settings > About phone

📡 Detection & Monitoring

Log Indicators:

  • Unusual intent forwarding between profiles
  • Suspicious ActivityManager or PackageManager logs showing cross-profile access

Network Indicators:

  • Unusual data transfers that might indicate Work Profile data exfiltration

SIEM Query:

source="android_logs" AND ("IntentForwarderActivity" OR "canForward") AND action="bypass"

📊 Metadata

CVE ID: CVE-2025-22433
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-693
EPSS Score: 0.01% exploit probability (1.9th percentile)
Published: September 2, 2025
Last Updated: September 4, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-22433, you might also want to check these:

CVE-2023-31273 10.0

This vulnerability in Intel Data Center Manager (DCM) software allows unauthenticated attackers to b...

Same vulnerability type (CWE-693)
CVE-2021-32835 9.9

CVE-2021-32835 is a sandbox escape vulnerability in Eclipse Keti that allows authenticated attackers...

Same vulnerability type (CWE-693)
CVE-2025-68668 9.9

This CVE describes a sandbox bypass vulnerability in n8n's Python Code Node that allows authenticate...

Same vulnerability type (CWE-693)