What happened?
Google has confirmed active exploitation of CVE-2025-48595, a zero-day integer overflow vulnerability (CWE-190) in the Android Framework - the core system layer that mediates between applications and the operating system. The flaw allows a local attacker to escalate privileges on affected devices without requiring user interaction and carries a CVSS score of 8.4 (High). Android versions 14, 15, 16, and 16-QPR2 are all affected.
Google's advisory notes that the vulnerability "may be under limited, targeted exploitation" - language the company uses when active attacks have been confirmed but have not yet reached mass scale. No specific threat actor has been attributed. The exploitation pattern is consistent with previous Android zero-days linked to commercial spyware vendors and nation-state actors targeting high-value individuals such as journalists, executives, lawyers, and government officials.
This flaw has been added to CISA's Known Exploited Vulnerabilities (KEV) catalogue, with a federal agency remediation deadline of 5 June 2026 - a strong signal of confirmed, credible exploitation.
So what?
CVE-2025-48595 is an elevation-of-privilege vulnerability: an attacker who has already achieved code execution on a device - most likely through a malicious application - can use this flaw to gain system-level access well beyond their initial permissions. That elevated access could enable an attacker to read private messages and files, access stored credentials, activate the microphone or camera without the user's knowledge, install persistent spyware, or bypass core security controls to reach sensitive system resources.
Two characteristics make this particularly concerning for organisations. First, exploitation does not require any action from the user after the malicious application is installed - there is no phishing link to click or file to open. Second, because the vulnerability sits in the Android Framework itself rather than a specific application, every unpatched device running Android 14 or later is exposed regardless of which apps are installed.
The primary organisational risk lies with unmanaged, lightly managed, or slow-to-patch devices. Personal devices used for work (BYOD) and corporate-liable devices that depend on OEM patch cycles rather than direct OS updates are especially exposed, as the availability of the June 2026 patch varies significantly by manufacturer and carrier. A device running the correct Android version is not necessarily protected; the security patch level must also be confirmed.
Flaws of this kind are difficult to detect after the fact and are frequently chained with other exploits - for example, an initial-access vulnerability delivering a malicious application, followed by this flaw to achieve full system compromise. Organisations should treat this as a patch-now signal and consider reviewing mobile device management (MDM) policies to ensure patch level visibility and enforcement across their Android estate.
What should I do?
Google has addressed CVE-2025-48595 as part of the June 2026 security update. As such, devices running the 2026-06-05 security patch level or later include the full set of fixes, and devices running Android version 14 or higher can be protected by applying the update immediately.
Older or unsupported Android devices are at greater risk, especially where manufacturers have not yet provided the June patch; to protect against this exploit in cases where the above fix cannot be applied, considering the recommendations below:
- Update Android devices to the latest release available for the hardware - check each device’s security patch level and apply any available updates without delay.
- Apply device-level hardening - ensure Google Play Protect is enabled on all managed devices to help detect potentially harmful applications, and restrict sideloading from outside the Google Play Store through enterprise Mobile Device Management (MDM) policies.
- Review device activity logs - monitor endpoints for unusual privilege-escalation activity or other anomalous process behaviour.