The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert about a high-severity zero-day vulnerability in the Android operating system that is currently being exploited in real-world attacks.
Identified as CVE-2025-48543, the flaw is a use-after-free vulnerability in the Android Runtime (ART), the core component responsible for running applications on Android devices. This memory corruption bug allows attackers to bypass the Chrome browser sandbox, leading to local privilege escalation.
A successful exploit grants attackers elevated control over affected devices, enabling installation of persistent malware, access to sensitive data, or full device takeover.
CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on September 4, 2025, confirming active exploitation before a public patch was available. Details on the threat actors or specific attack campaigns are currently undisclosed.
In response, CISA has issued a binding operational directive for all Federal Civilian Executive Branch agencies to apply vendor-provided mitigations by September 25, 2025. If patches are unavailable, agencies must stop using the affected products to avoid compromise.
Google patched the vulnerability in its September 2025 Android Security Bulletin released on September 1. CISA urges all organizations and Android users to promptly install this update through their device’s system update settings (Settings > System > System update).
Applying patches quickly remains crucial to protect against actively exploited threats targeting privilege escalation flaws.