Cyber Threat Brief — June 3 2026
⚠️ This report is AI-generated. Always validate findings.
1. Android Framework Zero-Day Under Targeted Exploitation — CVE-2025-48595
TL;DR: Google patched an actively exploited integer overflow privilege escalation in Android Framework (CVSS 8.4). CISA KEV added June 2 with an aggressive June 5 federal deadline — 3-day fuse signals high confidence in active exploitation.
What’s New:
- Google June 2026 security update patches 124 flaws; CVE-2025-48595 confirmed exploited ITW
- Integer overflow enables privilege escalation without user interaction; local attack vector suggests malicious app delivery
- “Limited, targeted exploitation” language consistent with commercial spyware or state-sponsored targeting
- Affects Android 14, 15, 16, and 16-qpr2
- CISA KEV June 2, federal deadline June 5 (3-day fuse)
Actionable Intel
| Artifact | Type | ATT&CK | Log Source | Action |
|---|---|---|---|---|
| Unpatched Android < June 2026 SPL | Config | T1068 | MDM/UEM | Enforce June 2026 security patch level compliance |
| Sideloaded APK delivery | TTP | T1204.002 | MDM/Google Workspace | Alert on non-Play Store app installs on managed devices |
| Privilege escalation post-app-install | TTP | T1068 | Android audit logs | Monitor for unexpected privilege grants |
| Conditional Access policy gap | Config | T1078 | Azure AD/Okta device trust | Block non-compliant Android devices from corp resources |
Detection
| Source | Rule | Gap |
|---|---|---|
| Splunk ESCU | None | No mobile-specific detection; enforce MDM compliance checks |
| Elastic | None | No mobile-specific detection |
| Sigma | None | No mobile-specific detection; gap in Android device trust monitoring |
Sources: Google June 2026 Android Update | Help Net Security | BleepingComputer | CISA KEV
Status Updates
- CVE-2026-41091/CVE-2026-45498 (Windows Defender RedSun/UnDefend): CISA KEV federal deadline TODAY June 3. Both patched May 19-21. Chained ITW per Huntress. Verify Engine >= 1.1.26040.8 and Platform >= 4.18.26040.7. Original brief.
- CVE-2026-41089 (Windows Netlogon RCE): ITW exploitation ongoing. No new IOCs. Patched May 13 Patch Tuesday. Hunt: CLDAP oversized User attribute on UDP/389, lsass.exe crashes (EID 1000), Netlogon service restarts (EID 7031). Original brief.
- CVE-2024-21182 (Oracle WebLogic T3/IIOP): CISA KEV deadline June 22. Cobalt Strike/Sodinokibi delivery ongoing via ports 7001/7002. Original brief.