Pierluigi Paganini March 04, 2025

Android March 2025 security update addresses over 40 vulnerabilities, including two flaws actively exploited in attacks in the wild.

Android March 2025 security update addressed over 40 vulnerabilities, including two flaws, respectively tracked as CVE-2024-43093 and CVE-2024-50302, which are actively exploited in attacks in the wild.

“There are indications that the following may be under limited, targeted exploitation.

• CVE-2024-50302
• CVE-2024-43093″ reads the advisory published by Google.

CVE-2024-43093 (CVSS score of 7.8) is a Privilege Escalation Vulnerability in Android Framework. A flaw in ExternalStorageProvider.java allows bypassing a file path filter meant to block access to sensitive directories due to improper Unicode normalization. Successful exploitation of this issue could lead to local escalation of privilege with no additional execution privileges needed. The advisory pointed out that user interaction is needed for exploitation.

CVE-2024-50302 (CVSS score of 5.5) is a Linux kernel vulnerability that was fixed by zero-initializing the HID report buffer during allocation to prevent potential kernel memory leaks. 

Google did now share details about the attacks exploiting the above vulnerabilities, however, in 2024, the Security Lab provided evidence of a Cellebrite zero-day exploit chain to industry partners, leading Google to identify three vulnerabilities. CVE-2024-53104 was patched in Android’s February 2025 update, while CVE-2024-53197 and CVE-2024-50302 (CVSS score of 5.5) were patched in the Linux kernel but not yet in Android.

Amnesty International revealed that the vulnerability CVE-2024-50302 was likely used by Cellebrite’s mobile forensic tools to unlock the Android phone of a Serbian student activist.

Android’s March 2025 security update addressed ten critical vulnerabilities in System the System component that could lead to remote code execution.

“The most severe of these issues is a critical security vulnerability in the System component that could lead to remote code execution with no additional execution privileges needed.” states the bulletin. “The severity assessment is based on the effect that exploiting the vulnerability would possibly have on an affected device, assuming the platform and service mitigations are turned off for development purposes or if successfully bypassed.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)