Android: Local privilege escalation in Android DevicePolicyManagerService (hasAccountsOnAnyUser logic error) (CVE-2025-48633) #shorts

Summary

Welcome to today’s security podcast. We’ll be unpacking CVE-2025-48633, a locally exploitable logic flaw in Google Android’s DevicePolicyManagerService. This issue allows an attacker to add a Device Owner after provisioning without user interaction or extra privileges, enabling local privilege escalation. It’s one of two high-severity flaws under targeted exploitation in Google’s December patch rollout.

Product details

The vulnerability affects Google Android versions 13, 14, 15, and 16. It resides in the Android Framework’s DevicePolicyManagerService component, specifically in the hasAccountsOnAnyUser function. All devices running these Android releases are impacted until they receive the December security updates from Google.

Vulnerability type summary

CVE-2025-48633 is classified as an information disclosure and local privilege escalation vulnerability. It stems from a logic error in the code that checks for existing accounts on user profiles, allowing unauthorized elevation of app permissions to full Device Owner status.

Details of the vulnerability

In the hasAccountsOnAnyUser method of DevicePolicyManagerService.java, a flawed conditional lets an attacker bypass normal provisioning checks. By invoking this method locally, a malicious app can register itself as a Device Owner post-provisioning. Once granted Device Owner privileges, the attacker gains broad control over device policies, including enforcing restrictive settings, installing or removing apps, and potentially exfiltrating sensitive data. No special execution privileges or user consent are needed, making exploitation straightforward on an unpatched device.

Conclusion

CVE-2025-48633 underscores the importance of timely patching. If you manage or use Android 13 through 16 devices, apply Google’s December security update immediately. Restrict installation of untrusted apps and monitor device-owner assignments to reduce risk. Stay tuned to this podcast for further security bulletins and best practices.

Watch the full video on YouTube: CVE-2025-48633

Remediation and exploitation details

This chain involves the following actors

  • Attacker: Local unprivileged user or malicious application seeking privilege escalation
  • Victim: Device user or organization relying on Android device policy controls

This following systems are involved

  • Android DevicePolicyManagerService (Enforces device administration policies and owner assignments): Validates and assigns Device Owner status during provisioning
  • Android Provisioning Framework (Initial device setup and assignment of management roles): Calls hasAccountsOnAnyUser to check for existing accounts before owner assignment

Attack entry point

  • hasAccountsOnAnyUser logic: A conditional check in DevicePolicyManagerService.java that fails to block post-provisioning owner assignment

Remediation actions

Device User or IT Administrator
Install Google’s December 2024 Android security update
Android OS
Device User or IT Administrator
Upgrade to an Android build that includes the patched DevicePolicyManagerService
Android OS

Exploitation actions

Gain a foothold to call device policy methods without elevated privileges

Attacker
Deploy or launch a local application with permission to invoke device policy APIs
Android Provisioning Framework
Examples:
  • Context.bindService(new Intent("android.app.DevicePolicyManager"), serviceConnection, Context.BIND_AUTO_CREATE);

Trigger the logic error that always returns false for existing accounts

Attacker
Invoke hasAccountsOnAnyUser with crafted user identifiers to bypass the account-existence check
DevicePolicyManagerService
Examples:
  • dpmProxy.hasAccountsOnAnyUser(userHandleAll);

Exploit bypassed check to register as Device Owner without user confirmation

Attacker
Call setDeviceOwner on the target package post-provisioning
DevicePolicyManagerService
Examples:
  • dpmProxy.setDeviceOwner(adminComponentName, "com.attacker.package", userHandleCurrent);

Use DEVICE_MGMT commands to confirm owner-level rights

Attacker
Verify elevated privileges by querying restricted policy APIs
DevicePolicyManagerService
Examples:
  • boolean isOwner = dpmProxy.isDeviceOwnerApp("com.attacker.package");

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2025-48633
Description
In hasAccountsOnAnyUser of DevicePolicyManagerService.java, there is a possible way to add a Device Owner after provisioning due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
Provider
google_android
CWE / problem types
Information disclosure
Affected Software Versions
Google:Android:[{'version': '16', 'status': 'affected'}, {'version': '15', 'status': 'affected'}, {'version': '14', 'status': 'affected'}, {'version': '13', 'status': 'affected'}]
Date Published
2025-12-08T16:57:49.260Z
Last Updated
2025-12-17T15:58:51.966Z