Google has released the September 2025 Android Security Bulletin, addressing 120 vulnerabilities across the OS and ecosystem components. The company confirms at least two zero‑days—CVE-2025-38352 (Linux kernel privilege escalation) and CVE-2025-48543 (Android Runtime privilege escalation)—were exploited in limited, targeted, user‑interaction‑free attacks.
Android September 2025 security update: what’s fixed and why it matters
CVE-2025-38352 is a race condition in POSIX CPU timers within the Linux kernel that can disrupt task cleanup and destabilize the kernel. Discovered on 22 July 2025 and fixed upstream starting with 6.12.35‑1, it can lead to denial of service, system crashes, and privilege escalation. Kernel race conditions of this kind are valuable to attackers because they can be chained with other flaws to gain persistent root access.
CVE-2025-48543 affects Android Runtime (the execution environment for Java/Kotlin apps and system services). Google’s assessment indicates it could bypass sandbox boundaries and grant elevated system capabilities, a critical building block for malware that begins with a low‑privilege foothold and escalates to control sensitive services.
High‑risk vulnerabilities and attack surface
CVE-2025-48539: zero‑click RCE over proximity radios
CVE-2025-48539 enables remote code execution (RCE) in a core Android component without user interaction. An attacker in network or physical proximity (e.g., within Wi‑Fi or Bluetooth range) could run arbitrary code with no prior privileges. Proximity RCEs are prioritized because they can be wormable in local environments—historically illustrated by issues like BlueBorne and Stagefright.
Qualcomm patches: GPS, networking stacks, and call processing
Critical fixes also land in proprietary Qualcomm components: CVE-2025-21450 (GPS subsystem), CVE-2025-21483 (networking stacks), and CVE-2025-27034 (multi‑mode call processor). Weaknesses in these layers can affect geolocation integrity, traffic handling, and telephony, raising the risk of unauthorized data access, privacy compromise, and instability in modem‑level communications.
Patch levels 2025‑09‑01 and 2025‑09‑05: how to interpret and deploy
Google publishes two patch levels: 2025‑09‑01 consolidates fixes for Android’s core platform, while 2025‑09‑05 adds updates for drivers and vendor components (e.g., Qualcomm). OEMs use this scheme to ship partial updates sooner, then follow up with the broader vendor set. Organizations should standardize on the 2025‑09‑05 level where available to ensure full coverage.
Risks to consumers and enterprises
The presence of zero‑click exploitation paths increases risk for devices connected to public networks or with continuously enabled Bluetooth/Wi‑Fi. In enterprise fleets, privilege escalation and RCE can undermine EMM/MDM controls, enable data exfiltration, and facilitate lateral movement. These concerns are consistent with broader industry tracking of exploited vulnerabilities—see Google’s Android bulletins and the CISA KEV catalog—which routinely flag mobile platform CVEs under active abuse.
Immediate mitigation: practical steps for defenders
Recommended actions:
- Update to the September patch at 2025‑09‑05 level where supported by the OEM.
- Until patched, reduce device discoverability over Bluetooth and Wi‑Fi; disable unnecessary radios.
- Avoid sideloading APKs; tighten app permission governance and enforce store‑only installs.
- For enterprises: push updates via MDM/EMM, block sideloading, and ensure Google Play Protect is enabled.
- Monitor logs for kernel panics and anomalies in system services as potential indicators of exploitation.
Mobile platforms remain a priority target for precision attacks leveraging zero‑day chains. Rapid patch adoption, attack‑surface minimization, and disciplined app management materially reduce exposure. Security teams should track the Android Security Bulletin and vendor advisories (including Qualcomm) and integrate new fixes into routine patch cycles to maintain a resilient mobile baseline.
