Android Framework CVE-2025-48595 exploitation

Summary

CISA added CVE-2025-48595 to the Known Exploited Vulnerabilities catalog on June 2, 2026. Google’s June 2026 Android Security Bulletin says there are indications the Android Framework issue may be under limited, targeted exploitation.

Tags

• ops
• operations
• vulnerability
• exploitation
• Android
• mobile
• privilege escalation
• CISA KEV
• CVE-2025-48595

Why this matters

• Android is a high-impact mobile platform; limited, targeted exploitation often matters for high-risk users even before public exploit details are available.
• Google describes the issue as an Android Framework integer-overflow vulnerability that can lead to code execution / local escalation of privilege with no additional execution privileges needed and no user interaction required.
• CISA’s KEV entry sets a June 5, 2026 remediation due date for covered agencies, validating in-the-wild exploitation signal.

Public reporting

• Google’s Android Security Bulletin for June 2026 notes: “There are indications that CVE-2025-48595 may be under limited, targeted exploitation.”
• The bulletin lists CVE-2025-48595 under Framework, type EoP, severity High, with updated AOSP versions 14, 15, 16, and 16-qpr2.
• NVD describes the issue as an integer overflow in multiple locations that could lead to code execution and local escalation of privilege, requiring no user interaction.
• CISA describes the flaw as an Android Framework integer-overflow vulnerability allowing code execution that could allow local privilege escalation; ransomware use is marked unknown.

Defender notes

• Prioritize June 2026 Android security updates for high-risk users, managed fleets, and devices exposed to targeted mobile-threat risk.
• Treat the KEV entry as exploitation validation, but avoid assuming a public exploit chain, actor identity, or mass exploitation unless later reporting supports it.
• For enterprise mobile fleets, verify patch-level reporting rather than relying only on OS major version; Google lists affected/updated AOSP versions across Android 14, 15, 16, and 16-qpr2.
• Watch for follow-on reporting from Google, CISA, mobile EDR vendors, and incident responders that ties CVE-2025-48595 to a specific spyware, exploit broker, or campaign chain.

Sources

• Android Security Bulletin — June 2026: https://source.android.com/docs/security/bulletin/2026/2026-06-01
• CISA KEV catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• NVD CVE-2025-48595: https://nvd.nist.gov/vuln/detail/CVE-2025-48595