CVE-2025-32347 is a vulnerability identified in Google Android versions 13 through 16, specifically within the BiometricEnrollIntroduction.java component. The issue stems from an unsafe use of PendingIntent in the onStart method, which inadvertently exposes the device's location information. PendingIntent is a common Android mechanism that allows an application to pass a future intent to another application or system component. If improperly configured, it can be hijacked or misused to perform unauthorized actions. In this case, the unsafe PendingIntent allows a local attacker to escalate privileges without requiring additional execution privileges, meaning the attacker does not need to have elevated rights beforehand. However, user interaction is necessary to trigger the exploit, which limits remote exploitation but does not eliminate risk on compromised or socially engineered devices. The vulnerability is categorized under CWE-926 (Improper Handling of Permissions), indicating a failure to correctly manage access controls. The CVSS v3.1 base score is 7.8, reflecting high severity due to its impact on confidentiality (disclosure of location), integrity (potential unauthorized actions), and availability (possible disruption). Although no public exploits are known at this time, the vulnerability's presence in recent Android versions makes it a significant concern for device security and privacy.

The vulnerability allows a local attacker to escalate privileges on affected Android devices, potentially gaining unauthorized access to sensitive location data. This breach of confidentiality can lead to privacy violations and targeted attacks. Integrity is also at risk since the attacker might manipulate biometric enrollment or related processes, potentially undermining device authentication mechanisms. Availability could be impacted if the exploit causes system instability or denial of service during biometric enrollment. Organizations relying on Android devices for secure authentication or sensitive operations may face increased risk of data leakage and unauthorized access. The requirement for user interaction reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, especially in environments where users might be socially engineered. The lack of known exploits in the wild currently limits immediate risk but emphasizes the need for proactive mitigation. The vulnerability affects a broad range of Android versions, impacting a large global user base and enterprise deployments.

Organizations should monitor for official patches from Google and apply them promptly once released. Until patches are available, restrict access to biometric enrollment features and educate users about the risks of interacting with unexpected prompts or requests related to biometric setup. Implement application whitelisting and privilege restrictions to limit the ability of local applications to invoke or manipulate PendingIntents associated with biometric enrollment. Employ mobile device management (MDM) solutions to enforce security policies and monitor for suspicious activity related to biometric enrollment processes. Developers should review and harden PendingIntent usage in their applications, ensuring they are immutable or explicitly specify target components to prevent hijacking. Regularly audit device configurations and permissions to minimize the attack surface. Additionally, consider disabling biometric enrollment temporarily in high-risk environments until a fix is applied.