A high-severity vulnerability, identified as CVE-2025-48633, has been discovered in the DevicePolicyManagerService component affecting multiple products. This flaw could allow an attacker to bypass security controls to gain unauthorized access to sensitive account information on a device, potentially leading to further system compromise. Due to confirmed active exploitation in the wild, immediate remediation is critical to prevent a security breach.

This vulnerability exists within the hasAccountsOnAnyUser method of the DevicePolicyManagerService. The method fails to properly perform permission checks on the calling application, allowing a low-privileged or malicious application to query for the existence of user accounts across all profiles on a device. An attacker can exploit this by crafting a simple application that calls this function to gather intelligence, confirm the presence of high-value corporate or personal accounts, and use this information to bypass security mechanisms or as a stepping stone for privilege escalation attacks.

This vulnerability is rated as High severity with a CVSS score of 7.8. Successful exploitation could lead to a significant breach of user privacy and corporate data security. An attacker could identify devices with access to sensitive corporate resources, making them prime targets for further attacks. The potential consequences include unauthorized access to confidential company data, compromise of user credentials, and a loss of trust in the organization's security posture. Given its presence on the CISA KEV list, the risk of targeted attacks against the organization's mobile device fleet is substantially elevated.

Immediate Action: Apply vendor security updates immediately across all affected devices. Prioritize patching for devices that access critical systems or sensitive data. After patching, verify that the update has been successfully installed.

Proactive Monitoring: System administrators should actively monitor for signs of exploitation. This includes reviewing device logs (e.g., Android logcat) for anomalous or repeated calls to the DevicePolicyManagerService, scrutinizing newly installed applications for suspicious behavior, and monitoring for any unauthorized attempts to access or create user accounts.

Compensating Controls: If immediate patching is not feasible, implement compensating controls to reduce the attack surface. Use a Mobile Device Management (MDM) solution to enforce policies that restrict application installation from untrusted sources (sideloading). Ensure that devices are configured with strong passcodes and that application sandboxing features are enabled and enforced.

Public Exploit Available: true

Given the high severity of this vulnerability, its status as a CISA Known Exploited Vulnerability (KEV), and evidence of active exploitation, we strongly recommend immediate and decisive action. Organizations must prioritize the deployment of vendor-supplied patches to all affected endpoints before the CISA-mandated deadline of December 22, 2025. Failure to remediate this vulnerability in a timely manner exposes the organization to a high likelihood of compromise, potentially resulting in a significant data breach.