According to Forbes, America’s Cybersecurity and Infrastructure Security Agency (CISA) has issued a mandatory order for federal staff to update their Samsung and Google Pixel phones by December 23 or stop using them entirely. The warning follows Google’s confirmation of two critical Android vulnerabilities, CVE-2025-48633 and CVE-2025-48572, which “may be under limited, targeted exploitation” and require no special privileges for a remote denial-of-service attack. Samsung has also confirmed three critical vulnerabilities of its own, all found by Google’s Project Zero team, enabling remote attackers to access out-of-bounds memory. While Google says all Android manufacturers will get fixes by Wednesday, December 18, the rollout speed will vary, with Pixels expected quickly and Samsungs taking longer. CISA extends its stark “update or discontinue” guidance to all users, not just government employees.
CISA Means Business
Here’s the thing: when CISA puts a vulnerability in its Known Exploited Vulnerabilities Catalog and sets a hard deadline, it’s not messing around. This isn’t a theoretical risk. The agency is basically saying they have evidence these flaws are being used in the wild, right now. For federal workers, that “discontinue use” line isn’t a suggestion—it’s policy. And if it’s that serious for them, why would any regular user think they’re immune? The “or else” is pretty dramatic: stop using your phone. That shows how severe they consider the threat.
The Samsung Puzzle
Now, the situation with Samsung is particularly messy and worth a closer look. The report notes that only one of the two CISA-flagged Android vulnerabilities is on Samsung’s published list. Why is the other missing? We don’t know, and that opacity is frustrating. More concerning is that Samsung’s three new critical flaws all hit the same libimagecodec.quram.so library. Sound familiar? That’s the same component behind Samsung’s emergency patch in October that also triggered a CISA warning. So we have a recurring problem in the same piece of code. That doesn’t inspire confidence. You can check Samsung’s security update page, but as always, the rollout will be a slow drip across models and carriers.
The Update Reality Check
And this is the eternal Android problem, isn’t it? Google can issue fixes to its Android Security Bulletin and promise OEMs get them by a certain date. But then what? Pixel users will probably be okay within days. Samsung’s latest flagships? Maybe within a week or two. But older models or phones from other manufacturers? They could be waiting for months, if they ever get the patch at all. Meanwhile, CISA’s deadline ticks down. This gap between a fix existing and it actually reaching a device is Android’s biggest security weakness. It leaves millions of users in a dangerous limbo where the only “mitigation” is to stop using a critical piece of technology. That’s not a real solution for most people.
What You Should Do Now
So, what’s the takeaway? First, check for updates on your Pixel or Samsung device immediately. Don’t wait. If you have a Pixel, you’re in the best position. For Samsung users, you’re at the mercy of your carrier’s schedule, but keep checking manually. If you’re on an older or unsupported Android model from any brand, this is a harsh reminder of the risks you’re accepting by using outdated software. CISA’s catalog is meant to be a prioritization framework for organizations, but it’s a great one for individuals too. Basically, if a nation’s cyber defense agency is worried enough to tell people to brick their phones, you should be worried enough to hit “update” right now.
