Google has released its September 2025 security updates for Android, addressing a total of 120 vulnerabilities. Notably, the patch includes fixes for two zero-day flaws that have reportedly been exploited in targeted attacks. These critical vulnerabilities could allow attackers to escalate privileges on affected devices without requiring user interaction.

Key Takeaways

• Google has patched 120 security flaws in Android for September 2025.

• Two zero-day vulnerabilities, CVE-2025-38352 and CVE-2025-48543, were actively exploited in targeted attacks.

• Both vulnerabilities allow for local privilege escalation with no user interaction needed.

• The patches are released in two security levels: 2025-09-01 and 2025-09-05.

Critical Zero-Day Vulnerabilities Addressed

The most concerning aspect of this month's Android security bulletin is the inclusion of two zero-day vulnerabilities that have already been leveraged in real-world attacks. These are:

• CVE-2025-38352: A privilege escalation flaw within the Linux Kernel component, carrying a CVSS score of 7.4. This vulnerability was discovered by Benoît Sevens of Google's Threat Analysis Group (TAG) and is suspected to have been used in targeted spyware campaigns.

• CVE-2025-48543: A privilege escalation flaw in the Android Runtime component, with no CVSS score publicly available. Google has indicated that both of these vulnerabilities can lead to local privilege escalation, meaning an attacker with initial access to a device can gain higher-level permissions.

Google has confirmed "limited, targeted exploitation" of these issues but has not disclosed specific details on how they were weaponized or if they were used in conjunction.

Broader Security Enhancements

Beyond the critical zero-days, the September patch also rectifies a range of other security weaknesses impacting various Android components. These include vulnerabilities related to remote code execution, further privilege escalation, information disclosure, and denial-of-service attacks affecting the Framework and System components.

Phased Security Patch Levels

To facilitate a quicker response from Android partners, Google has issued the security fixes across two distinct patch levels: September 1, 2025, and September 5, 2025. This staggered approach allows manufacturers to address vulnerabilities that are common across most Android devices more promptly. Google strongly encourages all Android partners to implement all fixes and adopt the latest available security patch level.

This proactive patching follows similar efforts last month, where Google addressed two Qualcomm vulnerabilities (CVE-2025-21479 and CVE-2025-27038) that were also reported as being actively exploited in the wild. As cyber threats become increasingly sophisticated, your security strategy must evolve to keep pace. BetterWorld Technology offers adaptive cybersecurity solutions that grow with the threat landscape, helping your business stay secure while continuing to innovate. Reach out today to schedule your personalized consultation.

Sources

• Google Patches 120 Flaws, Including Two Zero-Days Under Attack, The Hacker News.