In its June 2026 security update, Google patched 124 android flaws in the Android mobile OS. One particular vulnerability, CVE-2025-48595, is noteworthy with a CVSS score of 8.4 as it is already being exploited in the wild.
Devices running Android 14, Android 15, Android 16, and Android 16 QPR2 are affected. Google and the Android Security Bulletin said the flaw could allow for code execution and privilege escalation on a vulnerable device because of an integer overflow. The vulnerability could allow an attacker to gain elevated access to the system without requiring additional privileges.
Google said it knew there was evidence that the 124 android flaws were being used for “limited, targeted exploitation.”
The advice stated:
“There are indications that CVE-2025-48595 may be under limited, targeted exploitation.”
The identity of the attackers, the potential number of victims, and the method of vulnerability delivery have all been withheld by the company.
The security team at HKCERT explained.
“Multiple vulnerabilities were identified in Android. A remote attacker could exploit some of these vulnerabilities to trigger denial of service condition, elevation of privilege, remote code execution and sensitive information disclosure on the targeted system. CVE-2025-48595 is being scattered exploited. This vulnerability could lead to escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.”
This lack of specificity is not out of the ordinary.When Google talks about “limited, targeted exploitation” it usually means attacks on a small number of selected targets, instead of large-scale exploitation campaigns. Earlier Android cases with similar language have since been attributed to state-sponsored operations or commercial spyware makers targeting government officials, executives, journalists, political figures and dissidents.
There is currently no public information linking CVE-2025-48595 to any specific threat actor. But a series of evidence suggest a complex assault chain, not typical cybercrime. It has a weakness, that is local and does not require user input, in one of the most delicate layers of the operating system, the Android Framework. The most probable one, the researchers say, is a malicious app that exploits the vulnerability after installation to escalate rights and possibly take over the entire device.
It’s this kind of capacity that attracts commercial surveillance vendors. The spyware operator doesn’t need millions of devices. Sometimes, it is enough just to take out a few high-value targets. Compared to ransomware, the economics are quite different. A single successful infection can be worth far more than a large criminal effort.
On June 2, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog. Federal Civilian Executive Branch (FCEB) organizations are required to correct the vulnerability by June 5, 2026.
In addition to CVE-2025-48595, Google also patched several other vulnerabilities onther than 124 flaws in Android System components, including some that could lead to privilege escalation. The company released two patch levels 2026-06-01 and 2026-06-05. Devices that get the latter will get all the patches in the initial version, plus the Linux kernel and third-party chipset components from Qualcomm, MediaTek, Unisoc and Imagination Technologies.
The biggest hurdle continues to be Android’s fractured update model. Pixel phones get patches straight away whereas other manufacturers need more testing and customisation before releasing updates. Because of this, when a vulnerability is made public, some users can still be at risk for weeks or months. Attackers are aware of this. The race often starts when the patch is made available rather than when a vulnerability is found.
