Google’s June 2026 Android Security Bulletin, published on 2 June, contains a disclosure that warrants immediate attention from organisations with high-value Android device users. CVE-2025-48595, an integer overflow in the Android Framework component affecting Android 14, 15, and 16, is confirmed as actively exploited in limited, targeted attacks. CISA added it to the Known Exploited Vulnerabilities catalogue the same day with a three-day federal remediation deadline — the shortest window CISA applies, reserved for vulnerabilities with confirmed active exploitation and assessed urgency.
What the Language Actually Means
Google uses a specific, consistent phrase when confirming in-the-wild exploitation in its security bulletins: “there are indications that [CVE] may be under limited, targeted exploitation.” That phrase — “limited, targeted exploitation” — is not a downgrade. It is the standard indicator for commercial surveillance tool activity: exploitation by a vendor-supplied spyware platform against a small number of carefully selected targets rather than mass distribution of a commodity exploit.
The pattern is well-established. Variants of this language appeared in bulletins preceding the public identification of NSO Group’s Pegasus iOS exploits, Intellexa’s Predator Android zero-days, and similar commercial spyware campaigns. The fact that exploitation is “limited” reflects the operational security of spyware vendors — they deliberately restrict deployment to avoid burning zero-days against low-value targets — not a reassurance that the threat is contained or low-risk.
CVE-2025-48595’s CVSS 8.4 HIGH rating includes PR:N (no privileges required) and UI:N (no user interaction required). A malicious application can trigger the vulnerability without the device owner taking any action beyond having the application present on the device. The exploit achieves code execution within the Android Framework, gaining access to sensitive APIs, system services, and data outside the normal application sandbox.
Sector Exposure
The profiles of organisations typically targeted by commercial surveillance tools align directly with Adversary Wire’s coverage sectors:
Finance. Senior executives, M&A teams, and legal counsel at financial institutions are consistent targets for commercial spyware operations. Mobile devices used for sensitive communications — term sheet negotiations, regulatory discussions, board communications — are the primary targets precisely because they are perceived as less monitored than corporate laptop environments.
Communications. Telecom sector personnel with access to network infrastructure data, lawful intercept systems, or peering arrangements have been primary targets in documented commercial spyware campaigns, including the Salt Typhoon operations disclosed in 2025. A fresh Android zero-day represents a viable route to access credentials or session data from devices belonging to such personnel.
Critical infrastructure. Personnel at energy, water, and transport operators who use Android devices for operations management or secure communications are exposed to the same targeting logic.
Immediate Actions
Patch all managed Android devices to the June 2026 security patch level immediately. Google Pixel devices received the fix on 2 June 2026. For organisations managing mixed Android fleets through an EMM platform (Microsoft Intune, VMware Workspace ONE, Jamf), enforce minimum patch level 2026-06-01 and quarantine or restrict non-compliant devices from sensitive network access pending update.
Identify unmanaged executive devices. The most common gap in mobile security programmes is executive devices running personal Apple or Android operating systems with delayed or disabled automatic updates. Confirm that devices belonging to board members, C-suite, legal counsel, and M&A teams are enrolled in or at minimum compliant with the organisation’s patch level standards.
Assess third-party Android device risk. Legal firms, financial advisers, and supply chain partners who exchange sensitive communications may carry unpatched devices. Consider raising this bulletin in high-risk partner communications.
Baseline mobile device behaviour if targeted exploitation is suspected. Standard enterprise security tooling often has limited visibility into Android device activity. If there is reason to suspect a device may have been targeted — high-profile individual, recent threat intelligence suggesting targeting, unusual device behaviour — specialist mobile forensics rather than on-device scanning is the appropriate response. Spyware operating at the Framework level is typically not detectable by standard mobile EDR tools.
Context
This bulletin arrives approximately six weeks after the documented exploitation of CVE-2025-43529 in Apple WebKit, which CISA attributed to active exploitation in April 2026. Taken together, the pattern in Q2 2026 reflects an active and well-resourced commercial spyware ecosystem maintaining operational capability across both major mobile platforms simultaneously. The three-day CISA deadline for CVE-2025-48595 should be treated as directionally correct for private sector urgency, not as a deadline that applies only to federal agencies.