508/68 Thursday, December 4, 2025
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added two Android Framework vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, a list of security flaws that have been confirmed as actively exploited in the wild and are subject to mandatory remediation timelines for government agencies. The newly added vulnerabilities are:
- CVE-2025-48572: Android Framework Privilege Escalation
- CVE-2025-48633: Android Framework Information Disclosure
The additions coincide with the release of the December Android security update, which patches 107 vulnerabilities across the system, kernel, and vendor components. Google confirmed that both vulnerabilities have been used in limited, targeted attacks, although technical details of the exploitation have not been publicly disclosed. The December patch set is delivered in two levels-12-01 and 12-05-to allow device manufacturers to release security updates more quickly based on risk and implementation requirements.
Under Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities within a designated timeframe to reduce exposure to attacks. CISA has instructed agencies to fix both Android vulnerabilities by December 23, 2025.
Security experts recommend that private-sector organizations also review the KEV Catalog and assess their exposure, as vulnerabilities added to the list typically represent high-risk threats that are already being exploited and may pose a significant risk to enterprise infrastructure.
