CVE-2025-0083 is a medium-severity information disclosure vulnerability affecting multiple versions of the Google Android operating system, specifically versions 12, 12L, 13, 14, and 15. The root cause of this vulnerability lies in improper handling of URI double encoding in multiple locations within the Android platform. This flaw allows an attacker to bypass user profile isolation mechanisms by accessing content across different user profiles on the same device. The vulnerability does not require any additional execution privileges or user interaction to be exploited, meaning an attacker with local access to the device can leverage this flaw to obtain sensitive information from other user profiles. The vulnerability is categorized under CWE-116, which relates to improper encoding or escaping of output, leading to potential injection or information disclosure issues. The CVSS v3.1 base score is 4.0, reflecting a medium severity level, with the vector indicating local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), and limited confidentiality impact (C:L). There are no known exploits in the wild at this time, and no patches have been linked yet. This vulnerability highlights a design or implementation flaw in Android's URI handling that compromises the confidentiality of user data across profiles, which is critical in multi-user environments such as shared devices or enterprise-managed devices with multiple user accounts.

For European organizations, the impact of CVE-2025-0083 can be significant in environments where Android devices are shared among multiple users or where devices support multiple user profiles, such as in corporate or educational settings. The vulnerability allows local attackers to access information from other user profiles without needing elevated privileges or user interaction, potentially exposing sensitive corporate data, personal information, or credentials stored in other profiles. This could lead to privacy violations, data leakage, and compliance issues under regulations like GDPR, which mandate strict controls over personal data confidentiality. Although the attack requires local access, insider threats or compromised devices could exploit this vulnerability to escalate data access beyond intended boundaries. The lack of required user interaction lowers the barrier for exploitation once local access is obtained. However, since the vulnerability does not affect integrity or availability, the primary concern remains unauthorized data disclosure. The medium severity rating suggests that while the risk is not critical, organizations should prioritize mitigation especially in high-security environments or where sensitive data is stored on Android devices with multiple user profiles.

To mitigate CVE-2025-0083, European organizations should implement the following specific measures: 1) Restrict physical and local access to Android devices, especially those configured with multiple user profiles, to trusted personnel only. 2) Enforce strict device management policies using Mobile Device Management (MDM) solutions to monitor and control user profile configurations and limit the creation of unnecessary profiles. 3) Apply principle of least privilege by disabling or removing unused user profiles to reduce the attack surface. 4) Monitor for unusual local access patterns or attempts to access cross-profile data using endpoint detection and response (EDR) tools tailored for mobile devices. 5) Educate users and administrators about the risks of local access vulnerabilities and the importance of securing devices physically and logically. 6) Stay alert for official patches or updates from Google and prioritize timely deployment once available. 7) Consider deploying additional application-layer encryption or containerization for sensitive data within user profiles to limit exposure even if cross-profile access occurs. 8) For high-security environments, consider restricting the use of shared devices or multi-profile configurations until the vulnerability is patched.