CVE-2025-48633
CVE-2025-48633
Vexday Risk Score
43Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 5.5EPSS 0.2%KEV simPoC —Nuclei —Metasploit —Patch —
Lifecycle
02 Dec 2025Active exploitation (CISA KEV)
08 Dec 2025Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
In short
A flaw in Android's Device Policy Manager allows someone to add a Device Owner account after the device has already been set up, bypassing normal security checks. This could let an attacker gain administrative control over the device without needing special permissions or user approval.
Technical detail
CVE-2025-48633 exploits a logic error in hasAccountsOnAnyUser() of DevicePolicyManagerService.java that permits Device Owner provisioning post-setup. The attack vector is local; no additional privileges or user interaction required. Successful exploitation results in privilege escalation to Device Owner level, granting administrative device control.
Summary generated and translated by AI from the official description.
In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected products
Google · Android