CVE-2025-48541
📋 TL;DR
This vulnerability allows an attacker to remove biometric unlock (like face recognition) across user profiles on Android devices without proper authentication. It affects Android devices with multiple user profiles enabled. Exploitation requires physical access to the device but no user interaction.
💻 Affected Systems
- Android Settings app
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
An attacker with brief physical access could disable biometric authentication across all user profiles, potentially gaining access to sensitive data in other user accounts.
Likely Case
Malicious actor with temporary device access disables biometric security, allowing easier unauthorized access to the device later.
If Mitigated
With proper physical security controls and device encryption, impact is limited to inconvenience of re-enabling biometrics.
🎯 Exploit Status
Exploitation requires physical access but no authentication or user interaction. The vulnerability is in the Settings app's face unlock configuration.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android September 2025 security patch or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-09-01
Restart Required: Yes
Instructions:
1. Check for system updates in Settings > System > System update. 2. Install September 2025 or later Android security patch. 3. Reboot device after installation.
🔧 Temporary Workarounds
Disable multiple user profiles
androidRemove the vulnerable attack surface by disabling multi-user functionality
Settings > System > Multiple users > Remove guest and additional users
Use PIN/password as primary unlock
androidSet PIN or password as primary unlock method instead of biometrics
Settings > Security > Screen lock > Set PIN or password
🧯 If You Can't Patch
- Implement strict physical security controls for devices
- Disable biometric unlock and use PIN/password only on shared devices
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If before September 2025, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows September 2025 or later. Test biometric settings across user profiles.📡 Detection & Monitoring
Log Indicators:
- Unexpected modifications to biometric settings
- Face unlock disabled events across user profiles
- Settings app crash logs related to FaceSettings
Network Indicators:
- None - local privilege escalation only
SIEM Query:
source="android_logs" AND (event="face_unlock_disabled" OR process="com.android.settings") AND user_profile_change=true