CVE-2025-32345 is a local elevation of privilege vulnerability identified in Google Android versions 15 and 16. The flaw exists in the updateState method of the ContentProtectionTogglePreferenceController.java component. Due to a logic error in the code, a secondary user on the device can disable the primary user's deceptive app scanning setting without requiring any additional execution privileges or user interaction. This deceptive app scanning setting is likely a security feature designed to detect or prevent malicious or deceptive applications from running or being installed. By exploiting this vulnerability, a secondary user can effectively bypass or weaken the primary user's security controls, potentially allowing malicious apps or behaviors to go undetected. The vulnerability does not require user interaction, making it easier to exploit in multi-user environments. Since the exploit is local, an attacker must have at least secondary user access on the device, but no further privileges are needed. There are no known exploits in the wild at the time of publication, and no CVSS score has been assigned yet. The vulnerability was reserved in April 2025 and published in September 2025, indicating recent discovery and disclosure. The lack of a patch link suggests that a fix may not yet be publicly available or is pending release.

For European organizations, this vulnerability poses a risk primarily in environments where Android devices are shared among multiple users or where secondary user accounts are enabled. Enterprises that provide Android devices to multiple employees or use shared devices in kiosks, retail, or field operations could see an increased risk of privilege escalation. An attacker with secondary user access could disable security features intended to protect against deceptive or malicious apps, potentially leading to unauthorized app installations, data leakage, or further compromise of the device. This could undermine organizational security policies and increase the attack surface. The impact on confidentiality and integrity is significant because the attacker can weaken security controls without detection. Availability impact is lower but could occur if malicious apps disrupt device functionality. Since no user interaction is required, exploitation could be stealthy and automated. The vulnerability also raises concerns for BYOD (Bring Your Own Device) scenarios where personal and corporate data coexist on the same device with multiple user profiles. Overall, this vulnerability could facilitate lateral movement or persistence on Android devices within European organizations, especially those relying on Android 15 or 16 versions.

Organizations should immediately audit Android devices to identify those running versions 15 or 16 and assess whether multi-user configurations are enabled. Until a patch is available, restricting or disabling secondary user accounts on corporate devices can reduce the attack surface. Implement strict access controls and monitoring for secondary user activities. Employ Mobile Device Management (MDM) solutions to enforce security policies and detect unauthorized changes to security settings. Educate users about the risks of shared device usage and encourage the use of single-user profiles where feasible. Monitor for unusual behavior indicative of security setting tampering. Once Google releases a patch, prioritize timely deployment across all affected devices. Additionally, consider deploying endpoint detection and response (EDR) tools capable of identifying suspicious privilege escalation attempts on Android devices. For critical environments, consider isolating Android devices or using hardened configurations that limit user privilege escalation opportunities.