Cellebrite Zero-Day Exploit Chain Targets Serbian Student Activist

Figure 1: Visual representation of the BeyondTrust vulnerability chain

Amnesty International's Security Lab released its technical analysis on February 28, 2025, detailing how Cellebrite's Universal Forensic Extraction Device (UFED) exploited Android kernel vulnerabilities to gain unauthorized access to a locked smartphone.

The timeline of events began in December 2024, when Amnesty published "A Digital Prison," a report documenting the use of Cellebrite and NSO Group tools against civil society members in Serbia. During follow-up investigations, researchers identified additional victims, including a student activist whose Android device showed signs of compromise.

Forensic analysis of the student's phone revealed exploitation of USB kernel drivers. The attack required physical access to the device, consistent with Cellebrite's documented capabilities for law enforcement forensic extraction. According to Amnesty's report, the exploit chain could defeat the lock screen protection on devices running the latest available Android security patches at the time of the attack.

On February 25, 2025, three days before Amnesty's public disclosure, Cellebrite issued a statement announcing the suspension of its products for certain customers in Serbia. The company stated it had conducted an investigation following the December 2024 report and determined that suspension was appropriate for "relevant customers."

Google's Android Security Bulletin for February 2025, published on February 3, 2025, included a patch for CVE-2024-53104 and noted the vulnerability "may be under limited, targeted exploitation." The bulletin classified the vulnerability as High severity with an Elevation of Privilege (EoP) impact.

Amnesty's technical analysis attributed the exploit chain to Cellebrite based on forensic artifacts and behavioral patterns matching known Cellebrite UFED capabilities. The organization stated that the attack "matches the profile of Cellebrite's mobile forensic tools."

The three CVEs identified in the exploit chain target different components of the Linux kernel's USB subsystem:

CVE-2024-53104 affects the USB Video Class driver, which handles webcam and video capture devices. The vulnerability involves an out-of-bounds write condition that can be triggered when processing malformed USB descriptors. Google's security bulletin rated this vulnerability as High severity.

CVE-2024-53197 targets the USB audio driver (ALSA USB-audio). According to upstream Linux kernel commits, the vulnerability involves memory corruption during device enumeration.

CVE-2024-50302 affects the HID (Human Interface Device) subsystem, which handles keyboards, mice, and similar input devices. The vulnerability enables information disclosure that could assist in further exploitation.

Amnesty reported that the exploit chain grants "privileged access" to the device, allowing extraction of data without user authentication. The attack vector requires physical possession of the target device and a USB connection.

Google's Threat Analysis Group provided technical assistance to Amnesty's investigation. Benoît Sevens, a security researcher at Google TAG, was credited in the published report.

Figure 2: How the authentication bypass vulnerability works

The disclosure prompted immediate vendor response. Cellebrite's decision to suspend services for certain Serbian customers within days of being notified demonstrates that public accountability can influence commercial surveillance vendors.

Collaboration between civil society organizations and major technology companies proved effective. Amnesty's partnership with Google TAG enabled rapid identification and patching of the exploited vulnerabilities.

The February 2025 Android Security Bulletin's acknowledgment of active exploitation provides transparency to device manufacturers and users about real-world threats. Device vendors can prioritize patch deployment based on confirmed exploitation status.

Security researchers and forensic analysts gain valuable intelligence about commercial exploitation techniques. Understanding the specific USB subsystem vulnerabilities targeted helps defenders identify similar attack patterns.

The patch gap between Linux kernel fixes and Android security updates leaves devices vulnerable. CVE-2024-53197 and CVE-2024-50302 had been fixed in the upstream Linux kernel but remained unpatched in Android at the time of Amnesty's disclosure.

Physical access requirements do not eliminate the threat for at-risk individuals. Law enforcement agencies, border control, and other authorities routinely obtain physical access to devices during detention, arrest, or inspection.

Cellebrite's suspension applies only to "relevant customers" in Serbia, leaving the scope of the action unclear. The company did not specify which customers were affected or whether similar reviews were conducted for other jurisdictions.

The exploit chain potentially affects over a billion Android devices, according to Amnesty's assessment. The USB subsystem vulnerabilities exist in the Linux kernel used across Android versions and device manufacturers.

Commercial forensic tools continue to operate in a regulatory gray zone. Cellebrite sells its products to law enforcement agencies worldwide, and the company's response to documented misuse varies by jurisdiction and public pressure.

Figure 3: Privilege escalation from user to SYSTEM level

Cellebrite's Universal Forensic Extraction Device (UFED) is a commercial product designed for law enforcement forensic investigations. The device connects to smartphones via USB and attempts to extract data, including from locked devices.

The exploit chain documented by Amnesty targets the USB subsystem in the Linux kernel, which forms the foundation of Android's hardware interface layer. When a USB device connects to an Android phone, the kernel loads appropriate drivers based on device descriptors. The UVC driver handles video devices, the ALSA USB-audio driver handles audio devices, and the HID driver handles input devices.

CVE-2024-53104 exploits a flaw in how the UVC driver processes device descriptors. By presenting malformed USB data, an attacker can trigger an out-of-bounds write, corrupting kernel memory. Combined with the information disclosure from CVE-2024-50302 and memory corruption from CVE-2024-53197, the chain achieves privilege escalation.

Privilege escalation in this context means gaining kernel-level access, which bypasses Android's security model including lock screen protection, encryption boundaries, and application sandboxing. With kernel access, the forensic tool can extract data that would otherwise require user authentication.

Technical context (optional): The USB subsystem vulnerabilities exist in code paths that execute before user authentication. USB device enumeration occurs at the kernel level, independent of Android's user-space security controls. Exploitation during enumeration can compromise the device before lock screen protections engage.

The incident illustrates the tension between legitimate forensic capabilities and surveillance abuse. Cellebrite markets its products for criminal investigations, but the same capabilities enable targeting of journalists, activists, and political opponents.

Commercial exploitation of zero-day vulnerabilities creates a market dynamic where vendors may delay disclosure to preserve capability. The gap between Linux kernel patches and Android security updates provides a window for exploitation even after fixes exist.

The case adds to documented instances of surveillance technology misuse in Serbia. Amnesty's December 2024 report identified use of both Cellebrite and NSO Group tools against civil society. The pattern suggests systematic targeting rather than isolated incidents.

Android's security update distribution model faces scrutiny. Device manufacturers and carriers control update deployment, creating fragmentation in patch availability. Users of older devices or those with delayed updates remain vulnerable longer.

The collaboration between Amnesty and Google TAG represents a model for civil society and industry cooperation on surveillance threats. Similar partnerships have documented NSO Group's Pegasus spyware and other commercial surveillance tools.

The full scope of Cellebrite tool misuse in Serbia has not been determined. Amnesty identified "at least two additional cases" beyond the December 2024 report, but the total number of affected individuals remains unknown.

Cellebrite's criteria for customer suspension were not disclosed. The company did not specify whether the action affects all Serbian government customers or only specific agencies.

The timeline of exploitation is uncertain. While Amnesty documented the student activist case, the duration of vulnerability exploitation and the number of devices compromised globally remain undetermined.

Whether other forensic tool vendors possess similar exploit capabilities has not been established. Cellebrite is one of several companies in the mobile forensics market.

The status of patches for CVE-2024-53197 and CVE-2024-50302 in Android security updates was pending at the time of reporting. Google had not announced when these fixes would appear in monthly security bulletins.

Android security bulletins for March 2025 and subsequent months will indicate when patches for CVE-2024-53197 and CVE-2024-50302 reach Android devices.

Cellebrite's actions regarding other jurisdictions with documented misuse allegations bear monitoring. The company's response to the Serbia case may or may not establish precedent for other markets.

Serbian government response to the findings could include official statements, investigations, or policy changes regarding surveillance tool procurement and use.

Additional technical analysis from security researchers may reveal further details about the exploit chain or identify related vulnerabilities in the USB subsystem.

Civil society organizations monitoring surveillance in other countries may identify similar patterns of Cellebrite tool misuse, expanding the documented scope of the issue.

1. Amnesty International Security Lab, "Cellebrite zero-day exploit used to target phone of Serbian student activist," February 28, 2025. https://securitylab.amnesty.org/latest/2025/02/cellebrite-zero-day-exploit-used-to-target-phone-of-serbian-student-activist/

2. Ars Technica, "Serbian student's Android phone compromised by exploit sold by Cellebrite," February 28, 2025. https://arstechnica.com/security/2025/02/android-0-day-sold-by-cellebrite-exploited-to-hack-serbian-students-phone/

3. Android Security Bulletin, February 2025. https://source.android.com/docs/security/bulletin/2025-02-01