Login Sign Up

CVE-2025-48575

7.8 HIGH

📋 TL;DR

This vulnerability allows local attackers to install arbitrary certificates on Android devices without proper permissions, enabling local privilege escalation. It affects Android devices with vulnerable versions of the CertInstaller component. No user interaction is required for exploitation.

💻 Affected Systems

Products:
  • Android CertInstaller component
Versions: Android versions prior to December 2025 security patch
Operating Systems: Android
Default Config Vulnerable: ⚠️ Yes
Notes: Affects Android devices with vulnerable CertInstaller versions; requires local access or malicious app installation.

📦 What is this software?

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

Android by Google

View all CVEs affecting Android →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain full system control, can install malicious certificates to intercept encrypted traffic, and compromise device integrity.

🟠

Likely Case

Local attackers install unauthorized certificates to perform man-in-the-middle attacks against encrypted communications on the device.

🟢

If Mitigated

With proper security controls, impact is limited to certificate installation without broader system compromise.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring physical or local access to the device.
🏢 Internal Only: HIGH - Malicious apps or users with local access can exploit this to escalate privileges and compromise device security.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access but no additional privileges; likely to be exploited by malicious apps.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: December 2025 Android Security Patch or later

Vendor Advisory: https://source.android.com/security/bulletin/2025-12-01

Restart Required: Yes

Instructions:

1. Apply December 2025 Android Security Patch. 2. Update affected devices through system updates. 3. Verify patch installation in security settings.

🔧 Temporary Workarounds

Restrict app installation

android

Only install apps from trusted sources like Google Play Store to reduce risk of malicious apps exploiting this vulnerability.

Disable unknown sources

android

Disable installation from unknown sources in Android security settings.

🧯 If You Can't Patch

  • Monitor for suspicious certificate installations in device security logs
  • Implement application allowlisting to prevent unauthorized app execution

🔍 How to Verify

Check if Vulnerable:

Check Android security patch level in Settings > Security > Security update. If before December 2025, device is vulnerable.

Check Version:

Settings > About phone > Android version > Security patch level

Verify Fix Applied:

Verify security patch level shows December 2025 or later in device settings.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected certificate installation events in system logs
  • Unauthorized certificate authority additions

Network Indicators:

  • Unexpected certificate validation failures
  • SSL/TLS interception patterns

SIEM Query:

source="android_system" AND (event="certificate_install" OR event="ca_install") AND result="success"

📊 Metadata

CVE ID: CVE-2025-48575
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-862
EPSS Score: 0% exploit probability (0.2th percentile)
Published: December 8, 2025
Last Updated: December 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-48575, you might also want to check these:

CVE-2024-6071 10.0

CVE-2024-6071 is a critical remote code execution vulnerability in PTC Creo Elements/Direct License ...

Same vulnerability type (CWE-862)
CVE-2022-0543 10.0

CVE-2022-0543 is a critical Lua sandbox escape vulnerability in Redis on Debian-based systems that a...

Same vulnerability type (CWE-862)
CVE-2024-6500 10.0

This vulnerability allows unauthenticated attackers to read and delete arbitrary files on WordPress ...

Same vulnerability type (CWE-862)