Primary

Context

Android Connectivity Service Wi-Fi VPN Side Channel Information Disclosure Vulnerability

Vulnerability

A vulnerability exists in the ConnectivityService component of Android, specifically in multiple functions of ConnectivityService.java. This vulnerability allows a Wi-Fi access point to infer which websites a device has visited while connected to a VPN, based on leaked side channel information. The issue could result in remote information disclosure without requiring any additional privileges or user interaction for exploitation. This vulnerability affects several Android versions, including 12, 12L, 13, 14, and 15.

Impact

Exploitation of this vulnerability could lead to unauthorized information disclosure, allowing a Wi-Fi access point to monitor browsing activity of a device connected to a VPN.

Remediation

Users can update their devices to the January 2025 security patch level to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.9

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

4.9

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Android Connectivity Service Wi-Fi VPN Side Channel Information Disclosure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating