CVE-2025-26445 is a medium-severity information disclosure vulnerability affecting Google Android versions 13, 14, and 15. The flaw exists in the offerNetwork method of the ConnectivityService.java component, where a missing permission check allows unauthorized local processes to access sensitive information. Specifically, this vulnerability is classified under CWE-862, which relates to improper authorization. An attacker with local access and limited privileges (PR:L) can exploit this flaw without requiring user interaction (UI:N), potentially leaking confidential data. The vulnerability does not impact integrity or availability but poses a significant confidentiality risk. The CVSS v3.1 base score is 5.5, reflecting the moderate impact and ease of exploitation given the low attack complexity and lack of user interaction. No known exploits are currently reported in the wild, and no official patches have been linked yet. However, the vulnerability's presence in recent Android versions means that many devices remain at risk until updates are applied. The issue arises because the ConnectivityService, which manages network connectivity, fails to enforce proper permission checks before disclosing network-related sensitive information, potentially exposing data such as network configurations or credentials to unauthorized local applications or users.

For European organizations, this vulnerability could lead to unauthorized disclosure of sensitive network information on Android devices used within corporate environments. Given the widespread use of Android smartphones and tablets in Europe, including in sectors like finance, healthcare, and government, the leak of network-related data could facilitate further targeted attacks or espionage. Although exploitation requires local access, compromised or malicious apps installed on employee devices could leverage this flaw to gather confidential information without detection. This could undermine data privacy compliance obligations under regulations such as GDPR, especially if the leaked information includes personal or sensitive data. Additionally, organizations with bring-your-own-device (BYOD) policies may face increased risk as personal devices with vulnerable Android versions connect to corporate networks. The lack of required user interaction simplifies exploitation, increasing the threat potential. However, since the vulnerability does not allow remote exploitation or impact system integrity or availability, the overall risk is moderate but should not be underestimated in environments with sensitive data.

European organizations should prioritize the following mitigation steps: 1) Inventory and identify Android devices running versions 13, 14, or 15 within their environment. 2) Monitor official Google security advisories for patches addressing CVE-2025-26445 and apply updates promptly once available. 3) Restrict installation of untrusted or unnecessary applications on corporate and BYOD devices to reduce the risk of local exploitation. 4) Employ mobile device management (MDM) solutions to enforce security policies, including app vetting and permission controls, limiting apps' ability to access sensitive system services. 5) Educate users about the risks of installing apps from unofficial sources and the importance of keeping devices updated. 6) Implement network segmentation and strong authentication to limit the impact of compromised devices. 7) Consider deploying endpoint detection and response (EDR) tools capable of identifying suspicious local activity related to network service access. These targeted measures go beyond generic advice by focusing on controlling local access and app permissions, which are critical given the local nature of this vulnerability.