September 2025 Android Security Bulletin Highlights Exploited Flaws: CVE-2025-38352 & CVE-2025-48543

Google has published the September 2025 Android Security Bulletin, which includes a wide set of fixes across core and vendor components. Notably, two vulnerabilities, tracked as CVE-2025-38352 and CVE-2025-48543, are already confirmed to be under exploitation.

In this blog, we break down the exploited vulnerabilities, highlight other critical fixes, and show how you can stay protected against these threats.

Actively Exploited Vulnerabilities

According to Google’s bulletin, two vulnerabilities have already drawn attention from attackers, with signs of limited and targeted exploitation in the wild. This makes them stand out from the wider set of patched issues and places them at the center of September’s update.

CVE-2025-38352: Kernel Race Condition

The first exploited flaw resides in the Linux kernel. Tracked as CVE-2025-38352 (CVSS 7.4), it stems from a race condition between handle_posix_cpu_timers() and posix_cpu_timer_del(). Under certain timing conditions, particularly when tasks exit and timer operations overlap, this bug could be abused to gain elevated privileges or destabilize the system.

Google confirmed it has already been exploited in limited, targeted attacks, which makes applying the patch without delay especially important.

Details of CVE-2025-38352 (SOCRadar Labs CVE Radar)

CVE-2025-48543: Privilege Escalation in Android Runtime

The second exploited vulnerability, CVE-2025-48543, affects the Android Runtime. It allows a local attacker to gain elevated privileges without requiring user interaction.

While technical details remain undisclosed, exploitation attempts for CVE-2025-48543 have been observed in the wild, as noted in the bulletin. This makes it particularly dangerous, as it could be chained with other flaws to achieve deeper compromise.

Other Critical Vulnerabilities Patched

In addition to the actively exploited flaws, Google’s September bulletin fixes several other high‑impact vulnerabilities spanning the Android platform and vendor components:

• CVE-2025-48539 (Critical): A Remote Code Execution (RCE) issue in the System component. Since it can be exploited by an attacker that is proximal/adjacent without any user interaction, it represents a severe risk of compromise. The bulletin highlights it as the most critical issue.
• Qualcomm closed‑source components: Three critical issues (CVE-2025-21450, CVE-2025-21483, CVE-2025-27034) were found in proprietary elements like the modem and DSP. These could enable RCE or complete device compromise if left unpatched.

September 2025 Android Security Patch Levels and Update Coverage

Devices updated to the 2025-09-05 patch level are protected against all vulnerabilities listed in this month’s bulletin. Those on 2025-09-01 patch level receive fixes for issues in Android Runtime, Framework, and System, while the later patch expands coverage to Kernel and vendor-specific flaws.

Google confirmed that source code patches will appear in the Android Open Source Project (AOSP) repository within 48 hours, enabling device makers to integrate them quickly into updates.

How to Stay Protected

Even before patches roll out, Android has safeguards in place:

• Google Play Protect, enabled by default, scans apps and warns about potentially harmful software.
• Platform hardening in newer Android versions makes many vulnerabilities harder to exploit.
• Regular security updates remain the most reliable defense—users should install the September update as soon as it becomes available for their device.

Organizations managing fleets of Android devices should prioritize patch management and ensure critical systems receive updates without delay. For technical details and the full list of vulnerabilities, refer to the official Android Security Bulletin – September 2025.

From Vulnerability Overload to Actionable Intelligence

With new vulnerabilities emerging daily, keeping up with advisories like this one is only part of the challenge. Security teams need timely context on how these vulnerabilities are being exploited, which sectors are being targeted, and what defensive actions should take priority.

SOCRadar’s Cyber Threat Intelligence module helps organizations cut through the noise and focus on the vulnerabilities that truly matter. It continuously monitors vulnerability disclosures, exploit activity, and even Dark Web chatter to provide real‑time insights beyond what public bulletins offer.

SOCRadar’s Vulnerability Intelligence

With detailed risk scoring, exploit availability data, and mapping to affected assets, the module helps teams prioritize which vulnerabilities require immediate action and which can be addressed in regular patch cycles.