CISA KEV Alert: CVE-2022-0492 & CVE-2025-48595 Added to Known Exploited Vulnerabilities Catalog
Active exploitation confirmed — here's what your security team must do in the next 30 days
Published 2026-06-03
# CISA KEV Alert: CVE-2022-0492 & CVE-2025-48595 Added to Known Exploited Vulnerabilities Catalog
On June 2, 2026, CISA added two actively exploited vulnerabilities — CVE-2022-0492 (Linux Kernel Improper Authentication) and CVE-2025-48595 (Android Framework Integer Overflow) — to its Known Exploited Vulnerabilities Catalog, triggering mandatory remediation timelines for federal agencies and raising the urgency bar for every organization subject to modern compliance frameworks.
What the Advisory Actually Says
CISA's Binding Operational Directive 22-01 designates the KEV Catalog as the authoritative list of CVEs under active exploitation that carry significant risk to the federal enterprise. Federal Civilian Executive Branch (FCEB) agencies are legally required to remediate all catalogued vulnerabilities by their stated due dates.
- CVE-2022-0492 targets the Linux Kernel through an improper authentication weakness — a class of flaw that can allow unprivileged local users to escalate privileges or escape container boundaries.
- CVE-2025-48595 affects the Android Framework via an integer overflow condition — a vector commonly leveraged to achieve arbitrary code execution on mobile endpoints.
Both vulnerabilities are confirmed to be weaponized in the wild, meaning proof-of-concept exploitation has moved well past theoretical research.
Why This Matters Beyond Federal Networks
KEV listings are not just a federal compliance checkbox. They function as a high-confidence signal that threat actors — including ransomware groups and state-sponsored operators — are actively incorporating these flaws into their toolkits.
For organizations operating under NIS2, SOC 2, ISO 27001, HIPAA, or PCI DSS, the implications are direct:
- NIS2 requires essential and important entities to apply patches for actively exploited vulnerabilities without undue delay and to report significant incidents within 24–72 hours.
- SOC 2 (CC7.1) expects continuous monitoring and prompt response to known vulnerabilities affecting the trust services criteria.
- ISO 27001 (Annex A 8.8) mandates timely remediation of technical vulnerabilities once identified.
- HIPAA requires covered entities and business associates to address known risks to ePHI, and Linux servers and Android devices are common components in healthcare environments.
- PCI DSS v4.0 (Req. 6.3) requires all applicable security patches to be installed within one month of release for high-risk vulnerabilities.
A single unpatched Linux host or unmanaged Android endpoint in scope of any of these frameworks can produce audit findings, regulatory penalties, or — worse — a reportable breach.
What You Should Do in the Next 7–30 Days
Days 1–7 — Inventory and Assess
- Run an authenticated vulnerability scan across all Linux-based servers, containers, and Android endpoints.
- Identify every asset running affected kernel versions or Android Framework builds and assign owners.
- Confirm whether any affected assets process regulated data (PHI, cardholder data, personal data under NIS2/GDPR).
Days 8–14 — Prioritize and Patch
- Apply vendor-supplied patches or mitigations where available. If patching is not immediately possible, implement compensating controls such as network segmentation, enhanced logging, and endpoint detection rules.
- Escalate Android device management through your MDM platform and enforce OS update policies.
Days 15–30 — Document, Map, and Report
- Record all remediation actions with timestamps — essential evidence for SOC 2 auditors, ISO 27001 surveillance reviews, and NIS2 incident documentation.
- Map your remediation activity to each applicable framework control in your GRC system so gaps don't resurface at your next audit.
- If any indication of exploitation is found, initiate your incident response plan and assess NIS2 or HIPAA breach notification obligations.
Start Your Free Trial of RDS GoSOC AI — All Features Unlocked
RDS GoSOC AI gives your team a unified AI SOC and compliance platform that continuously monitors for KEV-listed vulnerabilities, maps findings to all 16 supported frameworks — including NIS2, SOC 2, ISO 27001, HIPAA, and PCI DSS — and surfaces prioritized remediation guidance in a single dashboard. You can register for a 14-day free trial with every paid feature unlocked — no credit card required. Once inside, open the User Guide tab to orient your team, and ask Sage, the platform's AI assistant, any setup or compliance questions. When a CISA KEV alert lands on a Monday morning, GoSOC AI ensures you already know which of your assets are exposed and exactly which control gaps need closing.