Google has released its monthly security update for September 2025, addressing a total of 120 security vulnerabilities in its Android operating system. Among these patches, two stand out as particularly critical because Google has confirmed they have been actively exploited in targeted attacks. These vulnerabilities are CVE-2025-38352, a privilege escalation flaw in the Linux Kernel, and CVE-2025-48543, a similar flaw in the Android Runtime. Both of these security weaknesses could allow a malicious actor to gain higher-level permissions on a device without any user interaction or additional execution privileges, posing a serious threat to user data and device integrity.
The disclosure from Google’s Threat Analysis Group (TAG) regarding the Linux Kernel vulnerability, CVE-2025-38352, is a significant point of concern. This flaw was discovered and reported by Benoît Sevens of TAG, a team known for investigating state-sponsored and other sophisticated cyber threats. The involvement of TAG suggests that this particular vulnerability may have been used as part of targeted spyware campaigns. While Google has not provided specific details on how these issues were weaponized or if they were used in tandem, the company’s acknowledgment of “limited, targeted exploitation” underscores the severity and real-world impact of these security flaws.
In addition to the two actively exploited vulnerabilities, the September 2025 security bulletin resolves a wide range of other issues. The updates patch flaws that could lead to remote code execution, which allows an attacker to run their own code on a device; privilege escalation, which grants an attacker higher permissions; information disclosure, which could leak sensitive user data; and denial-of-service, which can make a device or service unusable. These vulnerabilities affect various components within the Android Framework and System, highlighting the comprehensive nature of Google’s security efforts to maintain the integrity of its mobile ecosystem.
To facilitate a more agile and efficient deployment of these crucial fixes, Google has released two distinct security patch levels: 2025-09-01 and 2025-09-05. This two-tier approach gives Android partners, such as device manufacturers and carriers, the flexibility to address a subset of vulnerabilities that are consistent across all Android devices more quickly. By separating the patches, Google enables partners to prioritize and push out the most critical fixes without waiting for a complete, all-encompassing update. The company has urged its partners to apply all the patches and use the latest security patch level to ensure devices are fully protected.
The recent pattern of actively exploited vulnerabilities being addressed in monthly updates is a notable trend. For instance, in August, Google patched two Qualcomm vulnerabilities, CVE-2025-21479 and CVE-2025-27038, which the chipmaker had also flagged as being exploited in the wild. The consistent discovery and patching of such in-the-wild exploits highlight the ongoing cat-and-mouse game between security researchers and malicious actors. These regular updates are a crucial part of Google’s strategy to protect the vast number of Android users worldwide from evolving cyber threats.
Reference: