SOC Advisory – Android and Pixel Critical Vulnerabilities – 8 September 2025

Overview

CVE: CVE-2025-36890, CVE-2025-36896, CVE-2025-36897, CVE-2025-36904, CVE-2025-48581
Severity: Critical
Date: 8 September 2025

Google has disclosed multiple critical vulnerabilities affecting Android and Google Pixel devices. These include remote code execution and privilege escalation flaws in WLAN, system firmware, and update mechanisms. Devices running Android without the 2025-09-05 patch level are exposed to remote takeover, update suppression, or privilege abuse, many of which require no user interaction or additional permissions.

Affected Versions

• Android OS (general): All devices not yet patched to 2025-09-05
• Google Pixel Devices: Firmware older than 2025-09-05 OTA release
• Any Android-based devices using WLAN, AOSP firmware, or standard update channels

Vulnerability Breakdown

CVE-2025-36890 – WLAN Elevation of Privilege

• Component: WLAN
• Impact: Local privilege escalation without user interaction
• Platform: Android (general)

CVE-2025-36896 – WLAN Elevation of Privilege (Pixel-specific)

• Component: WLAN on Pixel
• Impact: Privilege escalation via WLAN firmware flaw
• Platform: Google Pixel devices

CVE-2025-36897 – Remote Code Execution in cd_CnMsgCodecUserApi.cpp

• Component: System
• Impact: Remote code execution via out-of-bounds write
• Platform: AOSP and Pixel

CVE-2025-36904 – WLAN Privilege Escalation (A-396458384)

• Component: WLAN on Pixel
• Impact: Local privilege escalation
• Platform: Pixel devices

CVE-2025-48581 – Update Blocking via Apexd

• Component: apexd.cpp (update framework)
• Impact: Malicious apps may block future security updates
• Platform: Android devices pre-2025-09-05

Mitigation

• Apply the 2025-09-05 Android security patch level to all affected devices
• Update Google Pixel firmware via OTA to build 2025-09-05 or later
• Use MDM/EMM platforms to enforce update compliance across fleet devices
• Restrict WLAN access for unpatched devices in enterprise environments
• No viable workarounds exist. Patching is mandatory

Summary for IT Teams

Products: Android OS, Google Pixel Devices, AOSP-based builds
Threat Level: Critical
Action Required:

• Ensure all devices meet the 2025-09-05 patch level
• Validate OTA delivery and monitor for blocked update mechanisms
• Audit for WLAN privilege escalation attempts or unexpected code execution
• Segment unpatched devices from production networks

Reference

• Android Security Bulletin – September 2025
• Pixel Update Bulletin – September 2025

Need Help?

If your organisation requires assistance identifying affected systems, applying updates or adjusting controller configurations, our team is here to help. Email us via soc@secure-iss.com for assistance.