U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Google Patches Actively Exploited Android Flaw Affecting Millions of Devices

Google fixed 124 Android flaws, including CVE-2025-48595, an actively exploited privilege escalation bug linked to targeted attacks. Google has released its June 2026 Android security updates, fixing 124 vulnerabilities across the mobile operating system. One flaw, tracked as CVE-2025-48595 (CVSS score of 8.4) stands out from the rest because it is already being exploited in […]

Google Android Qualcomm flaw CVE-2026-21385

Google fixed 124 Android flaws, including CVE-2025-48595, an actively exploited privilege escalation bug linked to targeted attacks.

Google has released its June 2026 Android security updates, fixing 124 vulnerabilities across the mobile operating system. One flaw, tracked as CVE-2025-48595 (CVSS score of 8.4) stands out from the rest because it is already being exploited in attacks in the wild.

The vulnerability affects devices running Android 14, 15, 16, and Android 16 QPR2. According to Google and the Android Security Bulletin, the issue is caused by an integer overflow that can lead to code execution and privilege escalation on a vulnerable device. An attacker could exploit the flaw to gain elevated access to the system without requiring additional privileges.

Google has confirmed that there are indications the flaw is being exploited in what it describes as “limited, targeted exploitation.”

“There are indications that CVE-2025-48595 may be under limited, targeted exploitation.” reads the advisory.

The company has not disclosed who is behind the attacks, how many victims may have been affected, or how the vulnerability is being delivered.

That lack of detail is not unusual. When Google uses the phrase “limited, targeted exploitation,” it typically refers to attacks against a small number of carefully selected targets rather than mass exploitation campaigns. In previous Android cases, vulnerabilities carrying the same wording were later linked to commercial spyware vendors or state-sponsored operations targeting journalists, political figures, dissidents, executives, and government officials.

At this stage, there is no public evidence connecting CVE-2025-48595 to a specific threat actor. However, several indicators point toward a sophisticated attack chain rather than ordinary cybercrime. The flaw is local, requires no user interaction, and resides inside the Android Framework, one of the most sensitive layers of the operating system. Researchers believe the most likely scenario involves a malicious application that abuses the vulnerability after installation to gain elevated privileges and potentially full control of the device.

This is exactly the type of capability that attracts commercial surveillance vendors. A spyware operator doesn’t need to infect millions of devices. Compromising a handful of high-value targets is often enough. The economics are very different from ransomware. One successful infection can be worth far more than a large-scale criminal campaign.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on June 2, 2026, added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate the flaw by June 5, 2026.

Beyond CVE-2025-48595, Google patched a number of additional vulnerabilities in the Android System component, including flaws that could also result in privilege escalation. The company released two patch levels, 2026-06-01 and 2026-06-05. Devices receiving the latter will obtain all fixes included in the first release, plus updates for the Linux kernel and third-party chipset components from Qualcomm, MediaTek, Unisoc, and Imagination Technologies.

The biggest challenge remains Android’s fragmented update model. Pixel devices receive patches immediately, while many other manufacturers require additional testing and customization before distributing updates. As a result, some users may remain exposed for weeks or months after a vulnerability becomes public. Attackers know this. In many cases, the race begins not when a vulnerability is discovered, but when the patch is released.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Google)