Google has issued a critical warning regarding two actively exploited high-severity Android vulnerabilities (CVE-2025-38352, CVE-2025-48543) that allow local privilege escalation without user interaction. While immediate patches are being deployed for eligible devices, over a billion Android phones are no longer supported, leaving a vast attack surface. This prompted CISA to add these flaws to its Known Exploited Vulnerability catalog, mandating federal staff update by September 25, underscoring a significant and unmitigated cybersecurity risk for a large segment of the global mobile device landscape.
Google has confirmed two high-severity vulnerabilities (CVE-2025-38352 and CVE-2025-48543) are being actively exploited in the Android ecosystem, allowing for local privilege escalation without any user interaction. The severity of this threat is underscored by America's cyber defense agency (CISA) adding both flaws to its Known Exploited Vulnerability catalog and mandating federal staff update or cease using affected devices by September 25. While Google is issuing immediate patches for its own Pixel devices, the fragmented nature of the Android market means updates for other OEM devices will be delayed. This event highlights a critical and persistent structural risk for the Android platform: over a billion devices are no longer supported and cannot receive security fixes, creating a vast and permanent attack surface. According to Zimperium data cited in the report, 25.3% of devices are un-upgradeable due to age. The issue also extends to the supply chain, with three other critical vulnerabilities mentioned relating to Qualcomm chipsets, indicating a broader hardware-level exposure beyond Google's direct software control.
AI-powered research, real-time alerts, and portfolio analytics for institutional investors.
Request a DemoOverall Sentiment
strongly negative
Sentiment Score
-0.75
Ticker Sentiment
