CVE-2025-48575 is a vulnerability affecting Google Android operating system versions 13, 14, 15, and 16. The issue resides in multiple functions within the CertInstaller.java component, which is responsible for installing security certificates on the device. Due to a permissions bypass, an attacker with limited local privileges can install unauthorized certificates without the need for additional execution privileges or user interaction. This bypass allows the attacker to escalate their privileges locally, potentially gaining elevated access to sensitive system functions and data. The vulnerability is classified as CWE-862, indicating a missing authorization check that leads to privilege escalation. The CVSS v3.1 base score is 7.8, reflecting high severity, with metrics indicating local attack vector, low attack complexity, low privileges required, no user interaction, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no public exploits are known at this time, the vulnerability poses a significant risk due to the critical nature of certificate installation and trust on Android devices. The lack of user interaction and low privileges required make it easier for attackers who have local access to exploit this flaw.

The impact of CVE-2025-48575 is substantial for organizations and individual users relying on affected Android versions. An attacker exploiting this vulnerability can install malicious certificates, which could be used to intercept, decrypt, or manipulate encrypted communications (man-in-the-middle attacks), bypass security controls, or install persistent malware with elevated privileges. This compromises device confidentiality, integrity, and availability, potentially exposing sensitive corporate data, user credentials, and communications. For enterprises, this could lead to data breaches, unauthorized access to internal networks, and disruption of business operations. The vulnerability’s ease of exploitation without user interaction increases the risk of automated or stealthy attacks, especially in environments where devices are shared or physically accessible by untrusted parties. The absence of known exploits currently provides a window for mitigation before widespread exploitation occurs.

To mitigate CVE-2025-48575, organizations should prioritize updating affected Android devices to patched versions once available from Google or device manufacturers. Until patches are released, organizations should restrict local access to devices, enforce strong device lock policies, and monitor for unusual certificate installations or modifications. Implementing Mobile Device Management (MDM) solutions can help enforce security policies and detect anomalies related to certificate stores. Additionally, auditing and restricting app permissions related to certificate management can reduce the attack surface. Security teams should also educate users about the risks of physical device access by unauthorized persons. Network-level protections such as certificate pinning and monitoring for suspicious certificate authorities in use can help detect exploitation attempts. Finally, organizations should maintain an inventory of devices running affected Android versions to prioritize remediation efforts.