Microsoft has confirmed a UI spoofing vulnerability in Edge for Android that could let attackers trick you into giving up credentials or downloading malware, simply by visiting a malicious webpage. Patches are rolling out now, and every Android user running Edge should update immediately.

The flaw at a glance

The bug—tracked across several CVE identifiers including CVE-2025-49755 and CVE-2025-49736—stems from insufficient UI warnings when the browser renders dangerous operations. In plain English: the address bar, padlock icon, and dialog boxes can be faked so convincingly on a mobile screen that even careful users might believe they’re on a legitimate site or accepting a genuine system prompt.

Security researchers classify this as CWE-451, “User Interface Misrepresentation of Critical Information.” On Android’s compact displays, where browser chrome is often minimized or hidden, an attacker can craft a page that overlays or manipulates these trusted visual cues. You think you’re signing into your bank or approving a download from a known source, but the action is actually controlled by the attacker.

The vulnerability is network-exploitable, meaning all it takes is for someone to click a link in an email, text, or social media post. No local access is required, and the attack can be mounted from any hosted web content. Microsoft’s security advisory rates the issue as Important (equivalent to Medium in many third-party databases, with CVSS scores around 4.3 to 5.3). That may not sound critical, but the human factor makes it deadly effective in phishing campaigns.

What actually changed

Microsoft disclosed the vulnerability through its Security Update Guide (SUG). However, because the SUG page relies heavily on JavaScript, automated scrapers and public aggregators have surfaced multiple closely related CVE numbers for the same class of flaw—all describing UI spoofing in Edge on Android and published within the same August 2025 timeframe. The exact CVE ID shown in Microsoft’s advisory link (CVE-2025-47967) may differ from numbers indexed by third parties, but the core risk is identical: a spoofed UI can mislead users into harmful actions.

According to aggregated data from vulnerability trackers, the fixed build for the Android version of Edge is 139.0.3405.86 or later. Several independent sources list this build string as the minimum required to block the attack. However, until Microsoft’s SUG is fully interactive in your browser, treat that version as a strong indicator rather than an absolute guarantee. The safest step is to update to the latest Edge release available in the Google Play Store, which will include the fix.

What it means for you

For everyday users

If you use Edge on your Android phone or tablet, you are exposed until you patch. An attacker can create a fake login page that looks exactly like your email provider, social media, or bank—complete with the real URL and a green padlock—because the browser’s security indicators are being spoofed. You might enter your password, and it goes straight to the phisher. Worse, a prompt could trick you into installing a malicious APK or granting permissions that let the attacker access your camera, microphone, or files.

Because mobile screens are small, we tend to tap quickly and trust what we see. This bug weaponizes that habit. A single rushed tap on a fake prompt could compromise an account, lead to financial loss, or serve as a foothold for further attacks.

For IT administrators and businesses

This is a tangible threat to any fleet where employees use Edge on Android to access corporate resources. A compromised device could leak credentials for your SSO portal, email, or internal tools. Attackers often use such stolen logins to move laterally through networks. Phishing campaigns that exploit this vulnerability could appear far more convincing than standard email scams, bypassing user training that relies on looking at the address bar.

Managed devices can be updated via MDM, but personal devices used for work (BYOD) are a bigger challenge. Immediate communication to your users, combined with policy-driven enforcement, is critical. Consider temporarily blocking Edge from accessing corporate resources on unpatched devices until the update is confirmed.

How we got here

UI spoofing isn’t new. It’s been a persistent problem in browsers for years, especially on mobile. The Chromium project, which underpins Microsoft Edge, Google Chrome, and many other browsers, has fixed dozens of similar bugs. Yet they keep appearing because the boundary between a webpage’s content and the browser’s trusted “chrome” (the address bar, menus, permissions dialogs) is governed by complex code that must run perfectly on countless device models and OS versions.

On Android, fragmentation makes things harder. Different manufacturers tweak the WebView and rendering stack, and the browser UI must adapt to foldables, tablets, and everything in between. A timing glitch or rendering inconsistency in one device can leave a crack that attackers exploit.

Microsoft’s Edge for Android has previously been targeted by spoofing vulnerabilities. In 2024, a similar flaw allowed address bar spoofing, and in early 2025 another permitted phishing via malformed URLs. Each time, the fix cycle involved upstream Chromium patches followed by downstream integration into Edge. The current disclosure follows that pattern: a vulnerability reported to Microsoft, likely through a responsible disclosure program or as part of broader Chromium security hardening, then patched and announced in the August 2025 update batch.

What to do now

1. Update Edge on Android immediately

Open the Google Play Store, tap your profile icon, select Manage apps & device, and check for updates. If Edge appears, update it. Alternatively, open Edge, tap the three-dot menu, go to Settings > About Microsoft Edge, and it will check and apply an update. Ensure your version is 139.0.3405.86 or higher. If your device hasn’t received the update yet, keep checking throughout the day; staged rollouts can take time.

2. Break the spoofing chain

  • Don’t click links from unknown senders. If you get an unexpected link in SMS, WhatsApp, or email that asks you to log in, ignore it. Instead, open a new tab and manually type the site’s address or use a bookmark.
  • Disable autofill for passwords in Edge’s settings (Settings > Save passwords) at least until you’ve updated. This prevents credentials from being automatically stuffed into a fake form.
  • Turn on HTTPS-Only mode (Settings > Privacy and security > Always use secure connections) to reduce the risk of interception.
  • Use multi-factor authentication for critical accounts so that even a stolen password isn’t enough to break in.

3. Enterprise-specific actions

Step Action Timeline
Inventory Use MDM to list all Android devices with Edge installed, noting version numbers. Hours
Push updates Force install the latest Edge version via Managed Google Play or MDM policy. 24-48 hours
User notification Send an alert advising employees not to click unsolicited links on mobile until patched. Immediately
Conditional access Block sign-ins from devices running an outdated Edge build. Concurrent with patch rollout
Detection Monitor authentication logs for anomalies from mobile IPs and look for known phishing patterns in web gateway logs. Ongoing

4. Verify the fix

After updating, you can verify protection by visiting a benign spoofing demo page (many security labs host safe tests) and ensuring the address bar remains accurate during rapid redirects or overlay attempts. For enterprise device labs, automate this check across representative handsets.

What to watch next

Microsoft is expected to update its Security Update Guide with clearer fixed-build information as the patch propagates. Upstream, Chromium developers will likely harden the UI-binding code further, but expect this cat-and-mouse game to continue. For users, the lesson is clear: mobile browsers demand the same skeptical eye as desktops. Treat unexpected prompts with suspicion, keep your apps updated, and rely on layered defenses like MFA.

IT teams should treat this as a dry run for mobile browser patch management. The speed at which you can identify, update, and enforce compliance on Android devices will determine your real risk window—not just for this bug, but for the next inevitable spoofing flaw.