Following the early-November disclosure of CVE-2025-48593, a critical zero-click flaw in the Android System component, a couple of other vulnerabilities in the Android framework have come to the spotlight due to their active exploitation, posing emerging risks to global organizations potentially affected by the threat. 

The two newly uncovered flaws within the Android Framework include high-severity vulnerabilities tracked as CVE-2025-48633 and CVE-2025-48572. Google has instantly responded to the threat by addressing these vulnerabilities in its monthly security updates. However, the vendor has not yet provided further insight into how these vulnerabilities are being leveraged in the wild, whether adversaries are chaining them or exploiting them independently, or the overall scope of the malicious activity.

As of November 30, the number of reported CVEs has surpassed 42,000, marking a 16.9% increase compared to 2024. The pace remains high, with an average of 128 newly disclosed vulnerabilities each day. These patterns underscore the continued urgency for proactive defense and the growing need for real-time delivery of threat detection content, enabling defenders to spot and mitigate new risks before they gain traction.

Register today for the SOC Prime Platform, the industry’s leading vendor-agnostic suite designed for real-time defense. It offers the full pipeline from detection to simulation and features the world’s largest detection intelligence dataset, with emerging threats updated daily to help organizations stay ahead of the curve. Use the Explore Detections button to view context-enriched SOC content for vulnerability exploitation, conveniently filtered by a dedicated “CVE” tag.

Explore Detections

Detection logic is compatible with dozens of leading SIEM, EDR, and Data Lake technologies and is aligned with the MITRE ATT&CK® framework for consistent threat mapping. Each detection algorithm is enhanced with AI-native detection intelligence and comprehensive metadata, including CTI references, attack timelines, audit configuration, triage recommendations, and more actionable threat context.

Security teams can further leverage Uncoder AI to streamline detection engineering by converting IOCs into custom hunting queries, generating detection logic directly from threat reports, visualizing Attack Flow diagrams, predicting ATT&CK tags, translating content across multiple formats, and automating a wide range of daily workflows end-to-end. 

CVE-2025-48633 and CVE-2025-48572 Analysis

Google has recently issued its December 2025 Android Security Bulletin, resolving 100+ vulnerabilities across multiple components, including the Framework, System, Kernel, and third-party hardware drivers. The vendor confirmed that two of these flaws, CVE-2025-48633,  an information disclosure issue, and CVE-2025-48572, a privilege escalation flaw, have been exploited in real-world attacks and may be subject to limited, targeted abuse. The December bulletin includes two patch levels to help device manufacturers deploy shared fixes more rapidly. 

On December 2, 2025, CISA added CVE-2025-48633 and CVE-2025-48572 to its Known Exploited Vulnerabilities catalog, mandating that U.S. federal agencies patch them by December 23, 2025, due to the significant risk they pose.

Security enhancements in modern Android versions significantly reduce the likelihood of successful exploitation. As feasible CVE-2025-48633 and CVE-2025-48572 mitigation steps, users should update their devices to the latest Android release and promptly apply security patches. In addition, Google Play Protect, enabled by default, helps detect and block harmful apps, particularly critical for those customers who install software from outside Google Play.

With the constantly increasing volumes of vulnerabilities exploited in the wild, proactive cyber defense measures are becoming a top priority for progressive organizations concerned about maintaining robust cyber resilience. By leveraging SOC Prime’s AI-native detection intelligence platform built for real-time defense, security teams can take their enterprise security protection to the next level and strengthen the organization’s cybersecurity posture.

The post CVE-2025-48633 and CVE-2025-48572: Android Framework Information Disclosure and Privilege Escalation Vulnerabilities Exploited in the Wild appeared first on SOC Prime.

Following the early November reveal of CVE-2025-48593, a critical RCE issue in the Android System component, another maximum-severity vulnerability is causing a stir in the cyber threat landscape. The newly identified Grafana flaw, tracked as CVE-2025-41115, could enable privilege escalation or user impersonation in specific configurations. 

Grafana, as a popular open-source analytics platform, has been abused for offensive purposes throughout the last half-decade, posing a threat to its global users. For instance, in mid-June 2025, researchers uncovered an XSS vulnerability in Grafana, CVE-2025-4123, enabling adversaries to execute malicious plugins and compromise user accounts without requiring elevated permissions. 

Such vulnerabilities underscore the growing volume of security issues impacting open-source ecosystems. The 2025 Open Source Security and Risk Analysis (OSSRA) report revealed that 86% of reviewed applications contained vulnerable open-source components, and 81% included flaws rated high or critical. These trends reinforce the ongoing need for proactive vigilance and real-time threat detection content, ensuring defenders can identify and mitigate emerging risks before they escalate.

Register now for the SOC Prime Platform, the industry-leading vendor-agnostic product suite built for real-time defenders, to discover a broad collection of curated detection content and AI-native threat intelligence, helping security teams stay ahead of attackers. Click Explore Detections to get access to context-enriched SOC content for vulnerability exploit detection filtered by the corresponding custom “CVE” tag.

Explore Detections

Detection algorithms can be applied across dozens of widely adopted SIEM, EDR, and Data Lake solutions and are aligned with the MITRE ATT&CK® framework. Additionally, each rule is enriched with AI-native threat intel, including CTI links, attack timelines, audit configurations, triage recommendations, and other in-depth metadata.

Security teams can also take advantage of Uncoder AI to instantly convert IOCs into custom hunting queries, generate detection code from raw threat reports, visualize Attack Flow diagrams, enable ATT&CK tags prediction, translate detection content across multiple formats, and perform other daily detection engineering tasks end-to-end. 

CVE-2025-41115 Analysis

Grafana has recently rolled out updated builds of Grafana Enterprise 12.3, along with refreshed versions 12.2.1, 12.1.3, and 12.0.6, each addressing a newly discovered maximum-severity vulnerability (CVE-2025-41115). The issue was discovered during an internal audit on November 4, 2025. The flaw has the highest possible CVSS score of 10.0 and affects the SCIM (System for Cross-domain Identity Management) feature, introduced in mid-spring 2025 and currently in public preview.

The issue appears in Grafana 12.x when SCIM provisioning is both enabled and configured. A malicious or compromised SCIM client can provision a user with a numeric externalId, potentially overriding internal user IDs and enabling impersonation, even of an admin account, or escalating privileges.

Exploitation requires both the enableSCIM feature flag and the user_sync_enabled option in the [auth.scim] configuration block to be enabled.

The vulnerability impacts Grafana Enterprise versions 12.0.0 through 12.2.1. Due to the fact that Grafana directly maps the SCIM externalId to its internal user.uid, numeric values can be misinterpreted as existing user IDs. In specific cases, this could cause a newly created user to be treated as an internal account with elevated privileges.Grafana instantly released patches as urgent CVE-2025-41115 mitigation measures. Due to the vulnerability severity, organizations are strongly encouraged to update immediately to reduce the risk of attacks. Rely on SOC Prime Platform that curates the world’s largest detection intelligence dataset and constantly updated detection content against emerging threats to reinforce your organization’s cybersecurity posture and preempt cyber attacks that matter most.

The post CVE-2025-41115: A Maximum-Severity Privilege Escalation Vulnerability in the Grafana SCIM Component  appeared first on SOC Prime.