A high-severity vulnerability has been identified across multiple products that allows an attacker to bypass security permissions. This flaw enables a malicious application to launch new windows or activities from the background, which could be used to overlay legitimate applications with fake login screens to steal credentials or trick users into granting additional, dangerous permissions. Due to confirmed active exploitation, immediate patching is critical to prevent potential system compromise and data theft.

This vulnerability stems from an improper permission check within the component responsible for managing application activities. An attacker can craft a specially designed request that circumvents the system's security controls, which are meant to prevent background applications from launching user interface components into the foreground. A low-privileged, malicious application can exploit this flaw to force its own activity or screen to appear on top of other applications, without user consent or interaction. This allows the attacker to control what the user sees, enabling UI redressing, phishing, or tapjacking attacks.

This vulnerability is rated as High severity with a CVSS score of 7.8. Exploitation could have significant consequences for the organization, primarily through social engineering attacks that appear highly convincing. An attacker could overlay a fake credential-entry screen on a legitimate banking or corporate application, leading to the theft of sensitive user credentials. This could result in unauthorized access to corporate data, financial systems, and other critical resources. The risk is heightened by the vulnerability's presence in multiple products, potentially affecting a wide range of endpoints from mobile devices to workstations.

Immediate Action: System administrators must prioritize the deployment of security updates released by the affected vendors to all vulnerable assets. Due to active exploitation, these patches should be applied on an emergency basis. After patching, monitor systems for any signs of compromise that may have occurred prior to remediation and review access logs for anomalous activity.

Proactive Monitoring: Security teams should monitor for indicators of compromise, including unexpected application pop-ups or windows launching without user interaction. In endpoint and system logs, look for unusual patterns of activity launches, particularly from applications running in the background. EDR and MDM solutions can be configured to alert on applications attempting to draw over other apps or requesting sensitive permissions unexpectedly.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Utilize application whitelisting to prevent unauthorized or untrusted applications from executing.
• Enforce policies through an MDM or endpoint security solution to block applications from untrusted sources.
• Educate users to be suspicious of any unexpected pop-ups or login prompts and to report such behavior immediately.

Public Exploit Available: true

Given the High severity rating (CVSS 7.8), the inclusion in the CISA KEV catalog, and confirmed active exploitation, this vulnerability poses a critical and immediate threat to the organization. We strongly recommend that all available vendor patches be applied on an emergency basis across all affected systems, without delay. The CISA KEV deadline of December 22, 2025, should be treated as the absolute final date for remediation. Failure to act swiftly will leave the organization exposed to credential theft, data breaches, and further network intrusion.