The U.S. Cybersecurity& Infrastructure Security Agency (CISA) is urging users of Samsung Galaxy and Google Pixel phones to apply the December 2025 security update by December 23 — otherwise, stop using their devices if no fix is available. According to a Reuters-referenced bulletin, two newly discovered zero-day vulnerabilities (CVE-2025-48633 and CVE-2025-48572) in Android’s core framework are already under limited, targeted exploitation and could allow remote denial-of-service attacks (or worse). Google quickly pushed a security patch via its December “2025-12-01” release, while Samsung simultaneously confirmed its own emergency update covering additional critical flaws — a move CISA characterizes as essential. Even though the public mandate legally binds only federal agencies, CISA emphasizes that all Android users should comply to avoid serious cyber-security risks.
Sources: Forbes, Security Week
Key Takeaways
– Two zero-day vulnerabilities in Android (CVE-2025-48633 and CVE-2025-48572) are being actively exploited, prompting an urgent security patch.
– Both Google (for Pixel) and Samsung (for Galaxy) have released updates — but rollout timing varies, so many users may still be unprotected.
– CISA’s directive affects federal employees but serves as a strong recommendation for all users: failing to update means assuming serious risk.
In-Depth
The digital cold war just got hotter. On December 2, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a rare but unambiguous directive: owners of Samsung Galaxy and Google Pixel smartphones must install the latest security updates by December 23 — or they should stop using the devices altogether if no patch is available. That kind of language reflects a serious judgment: the vulnerabilities involved are actively being exploited, and the risk is real.
At the heart of the matter are two zero-day flaws discovered in Android’s core framework (CVE-2025-48633 and CVE-2025-48572), which allow remote attackers to execute denial-of-service attacks — potentially without additional privileges. That means hackers could crash or hijack devices remotely, possibly as a precursor to deeper intrusions. According to the publication analyzing the December Android security bulletin, these vulnerabilities were among the most severe addressed, and Google’s December 1 patch — released broadly — was meant to neutralize them on all eligible Android devices.
For Pixel users, that patch should roll out swiftly, given Google’s direct control over updates. Samsung, however, had to integrate the fixes into its own update pipeline; it acknowledged three additional critical vulnerabilities (discovered by Google’s Project Zero team) linked to its image-processing library — each capable of allowing “out-of-bounds memory access.” The company promptly confirmed an emergency update for all eligible Galaxy devices. That dual pressure — from both Android and OEM-specific flaws — helped spur CISA’s warning.
CISA’s directive is binding only for federal personnel, but its broader impact is clear: it serves as a de facto minimum security standard for any Android user. The agency warned that affected devices without mitigation pose a serious threat — not only to personal data, but also to broader networks those devices may connect to. Given the widespread use of Samsung and Pixel devices, leaving them unpatched would mean exposing not only personal digital hygiene to risk, but potentially others as well.
On the pragmatic side, timing matters. While Pixel devices likely received patches quickly, many Samsung users — especially those with older or carrier-locked models — may face delays. In such cases, CISA recommends discontinuing use until the patch is applied. That means no banking apps, no sensitive communication apps, and perhaps even offline use only until security is restored.
In short: if you own a Samsung Galaxy or Pixel phone — or know someone who does — make sure the December 2025 patch is installed immediately. The alternative isn’t just an app crash — it could be a full-blown hack, with data theft, system compromise, or worse. In 2025’s world of increasingly aggressive mobile threats, updating your phone isn’t optional; it’s a critical act of self-defense.