CVE-2025-0082 is a medium-severity information disclosure vulnerability affecting multiple versions of the Google Android operating system, specifically versions 12, 12L, 13, 14, and 15. The vulnerability arises from a confused deputy problem within multiple functions of the StatusHint.java and TelecomServiceImpl.java components. A confused deputy occurs when a privileged component is tricked into misusing its authority, in this case allowing unauthorized access to images across different user profiles on the same device. Exploitation requires local access with limited privileges (PR:L) and user interaction, but does not require elevated execution privileges. The vulnerability can lead to unauthorized disclosure of sensitive images stored on the device, impacting confidentiality. The CVSS 3.1 base score is 5.5, reflecting a medium severity level, with an attack vector of local access, low attack complexity, and no user interface required for the attack once local access is obtained. The vulnerability does not affect integrity or availability, only confidentiality. No known exploits are currently reported in the wild, and no patches have been linked yet. The CWE classification is CWE-610, which relates to improper control of a resource through a confused deputy problem. This vulnerability highlights the risks of multi-user environments on Android devices where user isolation mechanisms can be bypassed due to flawed permission handling in system services related to telephony and status hints.

For European organizations, the primary impact of CVE-2025-0082 is the potential unauthorized disclosure of sensitive images stored on Android devices used within the organization. This could include corporate-owned devices or employee personal devices used for work (BYOD). The confidentiality breach could expose sensitive personal or corporate information, potentially violating GDPR requirements for data protection and privacy. Although the attack requires local access and user interaction, insider threats or social engineering could facilitate exploitation. The vulnerability could be particularly impactful in sectors handling sensitive personal data such as healthcare, finance, and government agencies. Since Android is widely used across Europe, the risk is significant for organizations relying on Android devices for communication and data storage. The lack of known exploits in the wild suggests a window of opportunity for proactive mitigation before widespread exploitation occurs. However, the medium severity indicates that while the impact is serious, it is not critical or likely to cause immediate operational disruption.

To mitigate CVE-2025-0082, European organizations should: 1) Ensure all Android devices are updated promptly once official patches are released by Google, as no patches are currently linked. 2) Enforce strict device access controls to prevent unauthorized local access, including strong lock screen policies and biometric authentication. 3) Educate users about the risks of social engineering and the importance of not interacting with suspicious prompts that could trigger the vulnerability. 4) Limit the use of multi-user profiles on Android devices where possible, as the vulnerability exploits cross-user image disclosure. 5) Employ mobile device management (MDM) solutions to monitor and control app permissions and system service interactions. 6) Regularly audit devices for unusual access patterns or attempts to access images across user boundaries. 7) Consider restricting the use of affected Android versions in high-risk environments until patches are available. These steps go beyond generic advice by focusing on user interaction prevention, multi-user profile management, and device access controls specific to this vulnerability’s exploitation vector.