Google‘s September 2025 Android Security Bulletin just dropped, and it’s a hefty one—covering 120 different vulnerabilities across the OS, including two zero‑day flaws (CVE‑2025‑38352 and CVE‑2025‑48543) that were already being used in targeted attacks. The company pushed two patch levels—2025‑09‑01 and 2025‑09‑05—to give OEMs flexibility in rolling these out. Though details are scarce, Google confirmed “limited, targeted exploitation” in the wild for those two critical zero‑days, underscoring the urgency of updating your device promptly. Beyond those, the update includes remote‑code‑execution, privilege‑escalation, info‑disclosure, and denial‑of‑service fixes spanning framework, system, kernel, and vendor components—making this one of the most substantial security updates of the year so far.
Sources: Hacker News, Malwarebytes, The Register
Key Takeaways
– Critical Zero‑Days Fixed: Two actively exploited vulnerabilities (CVE‑2025‑38352, CVE‑2025‑48543) were patched—no user interaction required to exploit.
– Largest Patch Roll‑Out This Year: With 120 flaws addressed, this is the most extensive Android update so far in 2025.
– Flexible Deployment Option: The dual‑layered patch levels (2025‑09‑01 and 2025‑09‑05) let device makers rollout essential fixes faster while preparing broader coverage.
In-Depth
September’s Android security patch is a heavy hitter, and for good reason. Google has rolled out fixes for a staggering 120 vulnerabilities—a clear reminder of the complexity and critical nature of keeping a mobile ecosystem secure. Among these issues are two zero‑day bugs—CVE‑2025‑38352, lurking in the Linux kernel, and CVE‑2025‑48543, rooted in the Android Runtime. Both flaws reportedly allow bad actors to escalate privileges without needing user interaction—making them highly dangerous.
Knowing that these vulnerabilities were already being exploited in limited, targeted attacks gives this update real-world urgency. Google smartly maintained transparency by warning users and partners about the threat, even without dishing out exploit details. To ease rollout complexity, they’ve issued two patch levels—2025‑09‑01 handles the core Android and framework fixes, while 2025‑09‑05 expands coverage to kernel and vendor-specific components, giving device makers some leeway.
But the zero-days aren’t the only headline here. The bulletin also includes a wide breadth of fixes: remote‑code‑execution, information disclosure, denial‑of‑service, and more—across system components and third-party parts. A quick glance at historical context shows this is one of the most comprehensive patches we’ve seen in 2025—especially considering that July saw no patch at all, breaking the usual monthly cadence.
From a security standpoint, here’s what you should do now:
1) Update immediately—check your device’s Android security patch level and install the latest available (preferably 2025-09-05).
2) Enable Google Play Protect and routine updates—that adds a layer of real-time defense.
3) Enterprise teams should expedite push-out of these updates across managed fleets to close gaps in vulnerable systems.
In short: don’t wait. This is a pivotal patch addressing critical threats visibly at play. Keeping your device up-to-date isn’t just tech upkeep—it’s essential personal and organizational defense.