Google has released its March 2025 Android Security Bulletin to address 44 identified vulnerabilities, with two high-severity vulnerabilities under active exploitation in the wild. The two critical flaws are CVE-2024-43093 and CVE-2024-50302.
CVE-2024-43093 is a privilege escalation issue in the Framework component that could grant unauthorized access to sensitive directories. It was previously flagged by Google as actively exploited in November 2024 but its re-emphasis is unclear.
In contrast, CVE-2024-50302 is part of a zero-day exploit devised by Cellebrite to break into an Android phone used by a Serbian youth activist in December 2024. This exploit combined vulnerabilities CVE-2024-53104, CVE-2024-53197, and CVE-2024-50302 to gain elevated privileges.
Google has acknowledged that both vulnerabilities are under limited, targeted exploitation. The company has released two security patch levels – 2025-03-01 and 2025-03-05 – allowing Android partners to address similar vulnerabilities more quickly across different devices.
Source: https://thehackernews.com/2025/03/googles-march-2025-android-security.html