CVE-2025-48618
📋 TL;DR
This vulnerability allows an attacker with physical access to interact with the browser from the Android lockscreen due to improper locking in the telephony framework. It enables physical privilege escalation without requiring user interaction or additional execution privileges. Affects Android devices with vulnerable telephony components.
💻 Affected Systems
- Android
📦 What is this software?
Android by Google
Android by Google
Android by Google
Android by Google
⚠️ Risk & Real-World Impact
Worst Case
Attacker with physical device access could bypass lockscreen security, access browser functionality, and potentially execute malicious actions or access sensitive information without authentication.
Likely Case
Physical attacker could launch browser from lockscreen to access cached credentials, saved passwords, or initiate malicious web requests while device appears locked.
If Mitigated
With proper physical security controls and updated software, risk is limited to devices left unattended in untrusted environments.
🎯 Exploit Status
Exploitation requires physical device access but no authentication or user interaction. Technical details are in the source code commit.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Android security patch level December 2025 or later
Vendor Advisory: https://source.android.com/security/bulletin/2025-12-01
Restart Required: Yes
Instructions:
1. Check for Android system updates in Settings > System > System update. 2. Install December 2025 security patch or later. 3. Reboot device after installation.
🔧 Temporary Workarounds
Enable enhanced lockscreen security
androidConfigure lockscreen to require complex authentication before allowing any functionality
Disable browser from lockscreen
androidRemove browser access from lockscreen settings if available
🧯 If You Can't Patch
- Implement strict physical security controls for devices
- Configure device policies to disable all lockscreen shortcuts and emergency features
🔍 How to Verify
Check if Vulnerable:
Check Android security patch level in Settings > About phone > Android version. If before December 2025, device may be vulnerable.Check Version:
adb shell getprop ro.build.version.security_patchVerify Fix Applied:
Verify security patch level shows December 2025 or later in Settings > About phone > Android version.📡 Detection & Monitoring
Log Indicators:
- Unexpected browser launches from lockscreen
- Telephony framework errors related to CommandParamsFactory
Network Indicators:
- Browser traffic originating while device shows as locked
SIEM Query:
Search for processLaunchBrowser events from lockscreen context in Android system logs