CVE-2025-48612
📋 TL;DR
This vulnerability allows applications in a work profile to improperly set the main user's default NFC payment setting due to insufficient input validation. It enables local privilege escalation without requiring additional execution privileges or user interaction. Android devices with work profiles are affected.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Malicious app in work profile could change NFC payment defaults to attacker-controlled payment apps, potentially enabling financial fraud or credential theft.
Likely Case
Work profile apps could interfere with legitimate NFC payment functionality, causing payment failures or redirecting payments.
If Mitigated
With proper app isolation and work profile restrictions, impact is limited to payment setting manipulation without broader system compromise.
🎯 Exploit Status
Exploitation requires installing a malicious app in work profile, but no user interaction needed after installation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: December 2025 Android security patch or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-12-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install December 2025 security patch or later. 3. Restart device after installation.
🔧 Temporary Workarounds
Disable work profiles
androidRemove work profiles from affected devices to eliminate attack vector
Settings > Accounts > Remove work profile
Restrict app installations
androidPrevent installation of untrusted apps in work profiles
Settings > Security > Install unknown apps > Disable for work profile
🧯 If You Can't Patch
- Monitor for suspicious NFC payment setting changes in device logs
- Implement strict app vetting for work profile installations
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version > Security patch level. If before December 2025, device is vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows December 2025 or later after update.📡 Detection & Monitoring
Log Indicators:
- Unexpected NFC payment service changes
- Work profile apps accessing payment settings
Network Indicators:
- None - local-only vulnerability
SIEM Query:
android.security.patch_level < "2025-12-01" AND work_profile_exists = true