CVE-2025-48523 is a local elevation of privilege vulnerability in Google Android versions 13 through 16. The flaw exists in the onCreate method of the SelectAccountActivity.java component, where a logic error allows an attacker to add contacts without requiring the appropriate permissions. This vulnerability arises from improper access control or validation in the code handling account selection and contact addition. Exploitation does not require any additional execution privileges or user interaction, meaning a local attacker with access to the device can leverage this flaw to escalate their privileges silently. By adding contacts without permission, an attacker could potentially manipulate contact data or leverage this foothold for further malicious activities on the device. Although no known exploits are currently reported in the wild, the vulnerability's nature and ease of exploitation make it a significant risk. The absence of a CVSS score indicates that the vulnerability is newly published and has not yet been fully assessed for severity. The vulnerability affects multiple recent Android versions, indicating a broad impact across many devices still in active use.

For European organizations, this vulnerability poses a risk primarily to mobile device security, especially for employees using Android devices in corporate environments. An attacker exploiting this flaw could gain unauthorized access to contact information or escalate privileges on the device, potentially leading to data leakage or enabling further attacks such as lateral movement within corporate networks. Since user interaction is not required, malware or malicious apps could silently exploit this vulnerability once local access is obtained, increasing the risk of stealthy compromise. Organizations relying on Android devices for sensitive communications or identity management could see confidentiality and integrity impacts. Furthermore, compromised devices could be used as entry points for broader attacks against enterprise resources. The impact is heightened in sectors with strict data protection requirements, such as finance, healthcare, and government, where unauthorized access to contact or identity data could lead to regulatory penalties and reputational damage.

To mitigate this vulnerability, European organizations should prioritize updating Android devices to patched versions once Google releases a fix. Until then, organizations should implement strict mobile device management (MDM) policies to control app installations and restrict local access to devices. Employing application whitelisting and monitoring for unusual contact modifications can help detect exploitation attempts. Security teams should audit device permissions and review installed applications for potential malicious behavior. Additionally, educating users about the risks of installing untrusted applications and enforcing strong device access controls (e.g., biometric or PIN locks) can reduce the likelihood of local attackers gaining access. Organizations should also consider isolating sensitive mobile workloads and using containerization or sandboxing technologies to limit the impact of a compromised device. Regular security assessments and penetration testing focusing on mobile environments will help identify and remediate related risks proactively.