Android CVE-2025-48595 and CISA KEV CVE-2022-0492 Lead a Patch-Routing Day
Finding 1: Android CVE-2025-48595 (CISA KEV) active-exploitation patch compliance
Confidence: Low/Unverified
The 03 June intelligence sweep flags Android CVE-2025-48595 as a managed-mobile patch-compliance item. SecurityWeek reports that Google's Android update patches CVE-2025-48595 and 123 other vulnerabilities, with CVE-2025-48595 described as exploited in limited, targeted attacks. CVE-2025-48595 is also listed on CISA's Known Exploited Vulnerabilities catalogue (2026-06-02 release), which corroborates the exploitation signal beyond the single SecurityWeek source.
The call is simple. This is not a broad mobile panic item. It is a patch-status question for managed Android fleets. Teams should confirm whether exposed or sensitive-user devices have received the June Android security update, then record exceptions by device owner and business function.
Action: Treat managed Android patch state as P1 for the next seven days. Prioritise devices used by administrators, executives, incident responders, and users in higher-risk roles. Where patching depends on OEM or carrier release timing, document the blocked population and keep Samsung/Android remediation mapping current through NCSC-NL NCSC-2026-0173.
Source: SecurityWeek, plus NCSC-NL NCSC-2026-0173.
Finding 2: CISA KEV adds Linux kernel/container CVE-2022-0492
Confidence: Low/Unverified
The intelligence sweep surfaces CISA Known Exploited Vulnerabilities entry CVE-2022-0492 to today's brief. It is an existing KEV listing rather than a new addition, so treat it as standing exposure to confirm. The brief routes this to legacy kernels, Kubernetes nodes, privileged containers, and cgroup exposure checks.
The age of the CVE matters less than the KEV signal. If a legacy Linux estate, old container host, or privileged workload still carries exposure, this becomes an asset-discovery and exception-management problem. The highest-risk systems are those where container isolation assumptions are part of the control model.
Action: Check kernel versions and container runtime exposure on Kubernetes nodes, CI workers, shared Linux hosts, and any environment using privileged containers. Confirm whether remediation is already covered by current distribution baselines. Escalate exceptions where internet-facing services, shared tenancy, or administrative workloads are present.
Source: CISA KEV catalogue.
Finding 3: EU Tier-0 advisories create an owner assignment queue
Confidence: Low/Unverified
The largest change is volume. The 03 June intelligence sweep contains new Tier-0 or national-advisory items for IBM WebSphere, Microsoft SharePoint, Mozilla Firefox for iOS, Google Android and Samsung Mobile remediation, Apache Kafka, Ivanti Neurons for ITSM, OpenSC, Nextcloud, and Red Hat OpenShift. These items do not all deserve the same urgency, but each needs an accountable owner.
The risk is queue failure. Middleware, collaboration, ITSM, smart-card, OpenShift, Kafka, and mobile-browser owners may sit in different teams. A daily advisory spike can turn into missed routing if everything lands in one generic patch inbox.
Action: Build a same-day routing table. Assign WebSphere to Java middleware owners, SharePoint and Nextcloud to collaboration owners, Kafka to platform/data-stream owners, Ivanti to ITSM owners, OpenSC to endpoint and privileged-admin endpoint owners, and OpenShift to platform owners. Ask each owner for exposure, patch availability, and planned remediation date.
Sources: BSI WID-SEC-2026-1762, WID-SEC-2026-1764, WID-SEC-2026-1763, WID-SEC-2026-1765, WID-SEC-2026-1767, WID-SEC-2026-1769, WID-SEC-2026-1773, WID-SEC-2026-1768, and NCSC-NL NCSC-2026-0173.
Finding 4: Linux, desktop, and package baseline items need hygiene without over-escalation
Confidence: Low/Unverified
The intelligence sweep lists new package and platform items for libsoup CVE-2026-6324, X.Org/Xwayland CVE-2025-26597, glib-networking CVE-2026-10028, Ubuntu Tomcat Connectors USN-8369-1 / CVE-2024-46544, Ubuntu age USN-8372-1 / CVE-2024-56327, Ubuntu libeconf USN-8368-1 / CVE-2023-22652, Ubuntu EditorConfig USN-8238-2 / CVE-2026-40489, and an OpenSSH rowhammer-related NVD entry, CVE-2023-51767.
This set is best handled through baseline engineering, not incident response. The practical question is where these packages appear in base images, developer workstations, VDI, kiosk builds, CI images, Linux clients, appliances, and Java web front ends.
Action: Fold these into normal package and image rebuild workflows. Prioritise exposed services and shared desktop contexts ahead of low-actionability items. Keep OpenSSH CVE-2023-51767 on watch until distribution or vendor clarification gives a clearer remediation path.
Sources: MSRC, NVD, and Ubuntu notices.
Finding 5: Kirki WordPress CVE-2026-8206 adds a second admin-account risk
Confidence: Low/Unverified
The intelligence sweep promotes a new BleepingComputer report on CVE-2026-8206, a Kirki WordPress flaw reported as exploited to hijack administrator accounts. This is separate from yesterday's WP Maps Pro CVE-2026-8732 story, which was already published and is not repeated as today's lead.
The common risk is administrator-account abuse in WordPress estates. Even where a site is patched, unexpected administrator creation is a high-value detection point because it can persist after the vulnerable component is removed.
Action: Check Kirki usage, plugin versions, and recent administrator-account changes. Keep the WP Maps Pro remediation from 02 June open until admin-account review is complete across affected WordPress sites.
Source: BleepingComputer.
- Updates to ongoing stories
- Confidence: Low/Unverified
- Oracle WebLogic exploited-patch reporting: The intelligence sweep marks this as an update with patch-released materiality. Verify against CISA KEV and Oracle alerts before raising customer-facing urgency.
- Gamaredon and WinRAR CVE-2025-8088: The intelligence sweep records attribution change, with GammaWorm and GammaSteel delivery against Ukraine. CVE-2025-8088 is on CISA's KEV catalogue, so treat WinRAR archive-handling exposure as actively exploited. Keep Europe-facing phishing and archive-handling controls in scope.
- praisonai-platform CVE-2026-47411 / GHSA-rcmc-q9rj-4wmq: route as low-priority dependency hygiene.
- Palo Alto VPN / PAN-OS CVE-2026-0257 context: CVE-2026-0257 is on CISA's KEV catalogue, and active-exploitation coverage was re-promoted by the sweep's sidecar. This remains a short update because Palo Alto exploitation was previously covered.
- Red Hat npm / Miasma and WP Maps Pro CVE-2026-8732: both remain relevant from yesterday's bundle. Today's evidence changes their status, not the core recommended actions.
Why This Matters
The day is less about one headline exploit and more about avoiding routing failure. Today's brief shows a wide set of eligible findings that would be easy to mishandle if they were all treated as the same patch ticket.
The right response is owner-driven: confirm mobile patch state, verify Linux/container exposure, route EU advisory items to named service owners, and keep WordPress administrator-account checks active. Most findings are still Low/Unverified. Move owners, but do not imply confirmed compromise across the estate.
- Recommended Actions
- P1: Confirm Android CVE-2025-48595 patch status for managed devices and record OEM/carrier blockers.
- P1: Check Linux and Kubernetes exposure for CVE-2022-0492, especially legacy kernels, privileged containers, cgroups, CI workers, and shared hosts.
- P1: Route the EU advisory cluster to named middleware, collaboration, ITSM, OpenShift, Kafka, smart-card, and mobile owners.
- P2: Fold libsoup, X.Org/Xwayland, glib-networking, Ubuntu package notices, and OpenSSH CVE-2023-51767 into package/image baselines.
- P2: Check Kirki and WP Maps Pro exposure, then audit WordPress administrator-account changes.
All findings grounded in a13e intelligence sweeps through 04:55 UTC 03 June 2026.