Google has released a security update addressing 107 vulnerabilities across the Android ecosystem, and the detail that makes this patch more urgent than the volume alone suggests is that two of those vulnerabilities are not theoretical risks. CVE-2025-48633, an information disclosure flaw, and CVE-2025-48572, an elevation of privilege vulnerability, are both being actively exploited in real-world attacks. Attackers do not wait for organizations to complete measured patch deployment timelines once a working exploit is in circulation. The window between patch release and exploitation of unpatched devices is shorter than it has ever been, and businesses running Android devices that have not yet applied this update are operating with doors that attackers are already confirmed to be trying.

Understanding what these vulnerabilities actually expose and why the combination of the two active exploits is particularly consequential gives the patch deployment decision the context it deserves.

What the Active Exploits Are Doing
The two vulnerabilities being exploited in active attacks are not independent risks that happen to be patched in the same update. They represent a sequence that attackers can chain together to achieve substantially more than either vulnerability enables alone.

An information disclosure vulnerability allows an attacker to access data that the system’s permissions are supposed to protect. On a device used for business operations, the data accessible through this class of exploit can include stored credentials, session tokens, communications, and the contents of applications the device is running. The information extracted does not just represent the data itself. It represents the intelligence an attacker needs to escalate their access or target additional systems connected to the compromised device.

An elevation of privilege vulnerability allows an attacker who has established limited access to escalate that access to higher permission levels, potentially achieving control over functions and data that the initial compromise would not have reached. Combined with the information harvested through the disclosure vulnerability, the elevation path becomes clearer, and the scope of what the attacker can ultimately reach expands significantly.

The practical consequence of this combination on a device used for business operations is a progression from initial access to meaningful device control that happens faster and reaches further than either vulnerability would enable independently. A device that authenticates into business email, financial platforms, customer management systems, or internal communications tools is not just a compromised phone. It is a compromised access point into every system that the device touches.

Why Android Devices Carry Risk That Business Security Postures Undercount
The security investment that most businesses make in their computing infrastructure reflects an accurate understanding of what those devices can access and what their compromise would cost. The same logic applies to Android devices used for business purposes, but the security posture applied to mobile devices frequently does not match the access those devices actually have.

A phone that receives business email, approves financial transactions, accesses customer data, and authenticates into internal systems is functionally equivalent to a laptop in terms of what its compromise exposes. The difference is that the security practices applied to laptops, enforced update policies, centralized management, access controls, and monitoring, are often not applied with equivalent rigor to mobile devices, particularly when those devices are employee-owned rather than company-issued.

This patch’s scope compounds that risk. The 107 vulnerabilities addressed span core system components, kernel elements, Android framework code, and hardware-level software from multiple chipmakers, including Arm, Qualcomm, and MediaTek. The breadth means that the affected device population is not limited to a specific manufacturer or model. Organizations whose employees use Android devices from multiple manufacturers are exposed across that entire range until patches are applied, and the variation in how quickly different manufacturers push Google’s security updates to their specific device configurations means that some devices in a mixed fleet may remain unpatched longer than others.

The Deployment Response That the Active Exploitation Warrants
The presence of vulnerabilities being actively exploited in the wild shifts the patch deployment calculation from routine update scheduling to a response that reflects the actual risk environment. Scheduled maintenance windows and measured rollout timelines are appropriate for updates that address theoretical vulnerabilities. They are less appropriate when the exploitation method is confirmed and in active use.

For organizations that manage Android devices centrally through mobile device management platforms, the immediate action is to enforce the security update across managed devices without waiting for the standard update cycle. MDM configurations that allow devices to defer or decline updates should be reviewed and tightened. A device that has declined a security update containing patches for actively exploited vulnerabilities represents a specific, known risk that the organization’s security posture should not accommodate.

For organizations where employees use personal Android devices to access business systems, the absence of centralized control does not eliminate the responsibility to ensure those devices are patched. Requiring employees to confirm their current patch status and establishing a clear expectation that devices accessing business systems must be current on security updates addresses the risk without requiring the organization to manage devices it does not own.

The supporting actions that reduce exposure while patches are being deployed follow directly from understanding how these vulnerabilities are exploited. Auditing which applications are installed on devices that access business systems reduces the attack surface that information disclosure vulnerabilities can reach. Employee awareness of the specific risk that their devices are being targeted by active exploits and that the update addresses confirmed attacks rather than hypothetical ones provides the context that motivates timely action more effectively than generic security reminders.

The Posture Question This Patch Should Prompt
The volume and scope of this update make it newsworthy. The active exploitation of two of its vulnerabilities makes it urgent. The underlying question that surfaces is whether your organization’s mobile security posture is calibrated to the access that mobile devices actually have and the threat environment they actually operate in.

Organizations that have invested in enforced update policies, mobile device management, and clear requirements around the patch status of devices accessing business systems are in a position to respond to this update through existing processes. Organizations that have treated mobile security as a secondary consideration relative to their endpoint and network security investments are discovering through updates like this one that the gap between those two postures has consequences that are no longer theoretical.

The patch is available. The vulnerabilities it addresses are being actively exploited. The deployment decision is the one remaining variable, and the current threat environment does not support treating it as anything other than immediate.