← back
CVE-2025-48633

CVE-2025-48633

CVSS 5.5 MEDIUMEPSS 0.2%● KEV
In short

A flaw in Android's Device Policy Manager allows someone to add a Device Owner account after the device has already been set up, bypassing normal security checks. This could let an attacker gain administrative control over the device without needing special permissions or user approval.

Technical detail

CVE-2025-48633 exploits a logic error in hasAccountsOnAnyUser() of DevicePolicyManagerService.java that permits Device Owner provisioning post-setup. The attack vector is local; no additional privileges or user interaction required. Successful exploitation results in privilege escalation to Device Owner level, granting administrative device control.

Summary generated and translated by AI from the official description.
In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
Google · Android

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://android.googlesource.com/platform/frameworks/base/+/d00bcda9f42dcf272d329e9bf9298f32af732f93https://source.android.com/security/bulletin/2025-12-01https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-48633