CVE-2025-22428 is a high-severity elevation of privilege vulnerability affecting Google Android versions 13, 14, and 15. The flaw resides in the hasInteractAcrossUsersFullPermission method within the AppInfoBase.java component. Due to a logic error, an application running under a secondary user profile can be granted permissions from the primary user profile without proper authorization checks. This vulnerability allows a local attacker, who already has some level of access on the device, to escalate their privileges to a higher level without requiring additional execution privileges or user interaction. The vulnerability is classified under CWE-863, which relates to improper authorization. The CVSS v3.1 base score is 7.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction needed. Exploitation requires local access but no additional privileges beyond those of the attacker. Although no known exploits are currently reported in the wild, the vulnerability poses a significant risk due to its ability to bypass user permission boundaries between primary and secondary users on Android devices. This could enable malicious apps or attackers to gain unauthorized access to sensitive data or system functions across user profiles on the same device.

For European organizations, this vulnerability presents a notable risk especially in environments where Android devices are shared among multiple users or where secondary user profiles are used for work or guest access. The ability to escalate privileges locally without user interaction means that if an attacker gains any foothold on a device, they could potentially access or manipulate sensitive corporate data stored in other user profiles or escalate their access to system-level functions. This could lead to data breaches, unauthorized access to corporate applications, or disruption of device availability. Organizations relying on Android devices for mobile workforce operations, BYOD policies, or shared device scenarios are particularly vulnerable. The impact is heightened in sectors with strict data protection regulations such as GDPR, where unauthorized data access could lead to compliance violations and significant fines. Additionally, the vulnerability could be leveraged to bypass security controls implemented at the user profile level, undermining endpoint security strategies.

To mitigate this vulnerability, European organizations should prioritize updating affected Android devices to patched versions as soon as Google releases security updates addressing CVE-2025-22428. Until patches are available, organizations should restrict the use of secondary user profiles on corporate devices or enforce strict application installation policies to limit exposure. Employ Mobile Device Management (MDM) solutions to monitor and control app permissions and user profiles rigorously. Conduct regular audits of device user configurations to detect unauthorized secondary profiles or suspicious permission grants. Additionally, implement endpoint detection and response (EDR) tools capable of identifying abnormal privilege escalation behaviors on Android devices. Educate users about the risks of installing untrusted applications, especially on devices with multiple user profiles. Where possible, disable or limit secondary user functionality on devices used in sensitive environments. Finally, maintain an inventory of Android devices and their OS versions to ensure timely patch management and vulnerability remediation.