.jpg)
.png)
In early June 2026, Google released its monthly security update for Android. In total, 124 vulnerabilities were fixed, including a zero-day already being exploited before the patch even shipped. The fourth in six months.
A zero-day vulnerability at the heart of the Android Framework
Among the 124 flaws fixed, one stands out as it was already being exploited at the time of the patch. Tracked as CVE-2025-48595, it sits in the Android Framework, the layer of system services that applications interact with directly. Rated 8.4 on the CVSS scale, it stems from an integer overflow that lets a local attacker elevate their privileges to system level, without any user interaction. Android 14, 15, 16 and 16 QPR2 are affected, which covers the vast majority of devices in use.
A privilege escalation flaw does not, on its own, open access to a device, it is one link in an attack chain. An attacker first needs an entry point, often a malicious app or another vulnerability in the browser or messaging app. The flaw then lets them break past the application's restrictions and reach system privileges. From there, the rest of the device becomes accessible.
The severity of this vulnerability has been confirmed beyond Google. As early as June 2nd, the US agency CISA had already added the flaw to its catalog of actively exploited vulnerabilities, giving federal agencies just three days to remediate.
Four zero-day flaws in six months
June's case is not an isolated one. Back in September 2025, two Android zero-days were already being exploited at the time of the patch. Since then, the pace has not let up. Two more flaws exploited in December 2025, one in March 2026 in the graphics component of Qualcomm chips, then June's. That makes four actively exploited Android zero-days patched in six months.
And the trend is not limited to Android. In its 2025 review, the Google Threat Intelligence Group counted 15 mobile zero-days exploited in the wild, across all mobile devices, up from 9 in 2024. The exploitation of mobile vulnerabilities before a patch is available has established itself as a durable feature of the threat landscape, not a one-off alert.
Enterprise mobile fleets on the front line
Once a device is compromised through this kind of flaw, everything it holds falls into the attacker's hands. On a work phone, that means the company's email, business apps and sensitive documents. Compromising a single device, especially that of an executive or an exposed employee, opens a direct door to the organization's data.
Two factors make the situation worse. First, Android fragmentation: outside of Pixel devices, the monthly bulletin often takes several weeks to reach handsets, sometimes longer. The window during which the flaw is public but unpatched therefore stays open across a large share of the fleet. Then BYOD, with many employees working from their personal phone, with no guarantee of updates.
In March 2026 in particular, the gap between the reporting of the Qualcomm zero-day and the release of its patch reached two and a half months, while the flaw was already being exploited.
Updating is no longer enough
Installing the June patch is essential, but it is not always enough to secure corporate data on mobile. Given these deployment delays and zero-days exploited before a patch is even released, waiting for the update cannot remain the only line of defense.
Pradeo Mobile Threat Defense detects and neutralizes exploitation attempts in real time, across every vector, whether it is the operating system, applications or the network. It protects users and their devices, including those that are not up to date or will never receive a patch, while giving security teams visibility over the state of each device. Corporate data stays secure, including in BYOD environments.
.jpg?height=100&name=1711636314862%20(1).jpg)
-1.png)
-1.png)
