Critical Android Framework Vulnerability Actively Exploited, CISA Issues Emergency Warning
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2025-48595 to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation of a severe integer overflow flaw in the Android Framework. The vulnerability, classified as CWE-190, allows attackers to execute arbitrary code and escalate local privileges on affected devices, potentially granting system-level access without user interaction.
The flaw resides in the Android Framework layer, the core set of APIs and services underpinning Android applications. When triggered, the integer overflow enables local privilege escalation, meaning a low-privileged app or attacker with physical or local access can bypass security controls and execute malicious code in a higher-privileged context. While no ransomware links have been confirmed, the active exploitation status elevates the threat level for government and enterprise environments.
CISA added the vulnerability to the KEV catalog on June 2, 2026, with a remediation deadline of June 23, 2026 a three-week window for federal agencies to apply mitigations. Under Binding Operational Directive (BOD) 22-01, all Federal Civilian Executive Branch (FCEB) agencies must address KEV-listed vulnerabilities within the specified timeframe.
The vulnerability impacts a wide range of Android versions, including:
- Android 14
- Android 15
- Android 16
- Android 16-QPR2 (Quarterly Platform Release 2)
Enterprises managing Android fleets, MDM environments, BYOD deployments, and industrial/kiosk systems are at heightened risk due to the potential for local code execution. CISA recommends immediate action, including:
- Applying vendor patches via OEM channels or Google’s Android Security Bulletin
- Following BOD 22-01 guidance for cloud-connected and enterprise deployments
- Discontinuing use of unpatched devices if mitigations cannot be applied in time
- Restricting sideloading and enforcing strict app installation policies
Organizations are advised to prioritize patch deployment through MDM platforms and verify device compliance with the latest security updates.
Source: https://cyberpress.org/exploited-android-framework-vulnerability/
Federal Signal Corporation cybersecurity rating report: https://www.rankiteo.com/company/federal-signal-corporation
"id": "FED1780561653",
"linkid": "federal-signal-corporation",
"type": "Vulnerability",
"date": "6/2026",
"severity": "100",
"impact": "6",
"explanation": "Attack threatening the economy of geographical region"{'affected_entities': [{'industry': 'Public Sector',
'location': 'United States',
'name': 'Federal Civilian Executive Branch (FCEB) '
'agencies',
'type': 'Government'},
{'industry': 'Various (MDM environments, BYOD '
'deployments, industrial/kiosk systems)',
'type': 'Enterprise'}],
'attack_vector': 'Local',
'date_publicly_disclosed': '2026-06-02',
'description': 'CISA has added CVE-2025-48595 to its Known Exploited '
'Vulnerabilities (KEV) catalog, confirming active exploitation '
'of a severe integer overflow flaw in the Android Framework. '
'The vulnerability allows attackers to execute arbitrary code '
'and escalate local privileges on affected devices, '
'potentially granting system-level access without user '
'interaction.',
'impact': {'operational_impact': 'Potential system-level access, privilege '
'escalation, and arbitrary code execution',
'systems_affected': 'Android devices (versions 14, 15, 16, '
'16-QPR2)'},
'investigation_status': 'Ongoing',
'post_incident_analysis': {'corrective_actions': 'Patch management and '
'enforcement of app '
'installation policies',
'root_causes': 'Integer overflow flaw in Android '
'Framework (CWE-190)'},
'recommendations': ['Apply vendor patches via OEM channels or Google’s '
'Android Security Bulletin',
'Follow BOD 22-01 guidance for cloud-connected and '
'enterprise deployments',
'Discontinue use of unpatched devices if mitigations '
'cannot be applied in time',
'Restrict sideloading and enforce strict app installation '
'policies',
'Prioritize patch deployment through MDM platforms',
'Verify device compliance with the latest security '
'updates'],
'references': [{'date_accessed': '2026-06-02',
'source': 'CISA Known Exploited Vulnerabilities (KEV) '
'catalog'},
{'source': 'Android Security Bulletin'}],
'regulatory_compliance': {'regulations_violated': 'Binding Operational '
'Directive (BOD) 22-01 (if '
'unpatched by deadline)',
'regulatory_notifications': 'CISA KEV catalog '
'addition (June 2, '
'2026)'},
'response': {'containment_measures': ['Applying vendor patches via OEM '
'channels or Google’s Android Security '
'Bulletin',
'Discontinuing use of unpatched devices '
'if mitigations cannot be applied in '
'time',
'Restricting sideloading and enforcing '
'strict app installation policies'],
'remediation_measures': ['Prioritize patch deployment through '
'MDM platforms',
'Verify device compliance with the '
'latest security updates']},
'stakeholder_advisories': 'CISA emergency warning for FCEB agencies and '
'enterprises managing Android fleets',
'title': 'Critical Android Framework Vulnerability Actively Exploited '
'(CVE-2025-48595)',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'CVE-2025-48595 (CWE-190 - Integer Overflow)'}