CVE-2025-60722 is a medium-severity path traversal vulnerability identified in Microsoft OneDrive for Android version 1.0. The vulnerability is classified under CWE-22, which involves improper limitation of a pathname to a restricted directory. This flaw allows an authorized attacker—someone who already has some level of access—to manipulate file path inputs to access or modify files outside the intended directories. The vulnerability can be exploited remotely over a network (AV:N) with low attack complexity (AC:L), and does not require user interaction (UI:N). However, it requires privileges (PR:L), meaning the attacker must have some level of legitimate access to the device or app. The impact is primarily on integrity (I:H), allowing unauthorized modification of files or data, but it does not affect confidentiality or availability directly. The scope remains unchanged (S:U), indicating the vulnerability affects only the vulnerable component without impacting other components. No known exploits have been reported in the wild, and no official patches have been released as of the publication date. The vulnerability could enable attackers to elevate their privileges by accessing or modifying files outside the app’s restricted directories, potentially leading to further compromise of the device or data. Given the widespread use of OneDrive on Android devices, this vulnerability poses a significant risk to users and organizations relying on this platform for file storage and synchronization.

The primary impact of CVE-2025-60722 is on the integrity of data stored or accessed through OneDrive for Android. An attacker with some level of access could exploit this vulnerability to manipulate or overwrite files outside the intended directories, potentially leading to unauthorized changes in critical files or configurations. This could facilitate further privilege escalation, data tampering, or persistence mechanisms on the device. Although confidentiality and availability are not directly impacted, the integrity compromise could indirectly lead to data loss or corruption, undermining trust in the affected systems. Organizations relying on OneDrive for Android for business-critical file synchronization and storage could face operational disruptions, data integrity issues, and potential compliance violations if exploited. The network attack vector and lack of required user interaction increase the risk of remote exploitation, especially in environments where devices are connected to untrusted networks. The absence of known exploits in the wild provides a window for proactive mitigation, but the lack of an official patch increases urgency for interim protective measures.

1. Limit app permissions on Android devices to restrict OneDrive’s access to only necessary directories and files, minimizing the attack surface. 2. Employ mobile device management (MDM) solutions to enforce security policies, including restricting installation of untrusted apps and controlling network access. 3. Monitor device and network activity for unusual file access patterns or privilege escalation attempts related to OneDrive. 4. Educate users and administrators about the risks of privilege escalation vulnerabilities and encourage vigilance regarding app behavior. 5. Apply security updates and patches from Microsoft promptly once they become available to address this vulnerability. 6. Consider isolating or sandboxing OneDrive usage on sensitive devices to limit potential damage from exploitation. 7. Use endpoint detection and response (EDR) tools capable of detecting anomalous file system activities indicative of path traversal exploitation. 8. Review and audit file access controls and permissions within OneDrive and the underlying Android file system to ensure least privilege principles are enforced. These measures go beyond generic advice by focusing on controlling app permissions, monitoring for specific exploitation behaviors, and preparing for patch deployment.