CVE-2025-26437
📋 TL;DR
This vulnerability in Android's CredentialManagerService allows local attackers to retrieve candidate credentials without proper permission checks. It enables local information disclosure without requiring user interaction or additional privileges. All Android devices running vulnerable versions are affected.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker with physical access or malicious app could extract credential information from the credential manager, potentially compromising authentication data for various services.
Likely Case
Malicious apps could silently harvest credential information from the credential manager, leading to credential theft and potential account compromise.
If Mitigated
With proper app sandboxing and permission controls, the impact is limited to credential information that the vulnerable app itself has access to.
🎯 Exploit Status
Exploitation requires local access or a malicious app. No user interaction needed, but app installation or physical access is required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android Security Patch Level June 2025 or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-06-01
Restart Required: No
Instructions:
1. Check for system updates in Settings > System > System update. 2. Apply the June 2025 Android security patch. 3. Verify the patch level in Settings > About phone > Android version.
🔧 Temporary Workarounds
Restrict app installations
allOnly install apps from trusted sources like Google Play Store and avoid sideloading unknown apps.
Disable credential manager for sensitive apps
allFor critical applications, disable credential manager/autofill functionality in app settings.
🧯 If You Can't Patch
- Implement strict app vetting and only allow trusted applications
- Use mobile device management (MDM) solutions to restrict app installations and monitor for suspicious behavior
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If patch level is before June 2025, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify Android security patch level shows 'June 5, 2025' or later in Settings > About phone > Android version.📡 Detection & Monitoring
Log Indicators:
- Unusual credential manager access patterns
- Multiple failed credential retrieval attempts from untrusted apps
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
Look for credential manager service access from apps with suspicious permissions or from newly installed applications.