CISA Adds Two Known Exploited Vulnerabilities to Catalog (CVE-2022-0492, CVE-2025-48595)
CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog to include CVE-2022-0492, a Linux Kernel improper authentication vulnerability, and CVE-2025-48595, an Android Framework integer overflow vulnerability, citing evidence of active exploitation in the wild.
Detection / HunterGoogle
What Happened
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert regarding two security flaws that hackers are currently exploiting. The affected systems include the Linux operating system kernel and the Android mobile framework. Because these vulnerabilities are actively being used in cyberattacks, they pose a significant risk to organizations. System administrators and security teams should immediately apply the latest security updates to affected Linux and Android devices to protect their networks.
Key Takeaways
- CISA has added CVE-2022-0492 (Linux Kernel) and CVE-2025-48595 (Android Framework) to the Known Exploited Vulnerabilities (KEV) Catalog.
- Both vulnerabilities have evidence of active exploitation by malicious cyber actors.
- Federal Civilian Executive Branch (FCEB) agencies are mandated by BOD 22-01 to remediate these vulnerabilities.
- CISA strongly urges all organizations to prioritize patching these vulnerabilities to reduce exposure to cyberattacks.
Affected Systems
- Linux Kernel
- Android Framework
Vulnerabilities (CVEs)
- CVE-2022-0492
- CVE-2025-48595
Attack Chain
The provided alert does not detail the specific attack chain, but notes that malicious cyber actors are actively exploiting an improper authentication vulnerability in the Linux Kernel (CVE-2022-0492) and an integer overflow vulnerability in the Android Framework (CVE-2025-48595).
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
No detection rules or queries are provided in the alert.
Detection Engineering Assessment
EDR Visibility: Low — The alert provides no technical details, IOCs, or behavioral indicators to guide EDR detection. Network Visibility: Low — No network indicators or traffic patterns are described in the alert. Detection Difficulty: Hard — Without specific exploit payloads or behavioral indicators, detection relies entirely on vulnerability scanning rather than threat hunting.
Required Log Sources
- Vulnerability Management Scanners
- Patch Management Systems
Control Gaps
- Lack of timely patch management for known exploited vulnerabilities
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Identify and patch all assets vulnerable to CVE-2022-0492 (Linux Kernel) and CVE-2025-48595 (Android Framework) immediately.
Infrastructure Hardening
- Consider integrating CISA's Known Exploited Vulnerabilities (KEV) Catalog into your organization's vulnerability management and prioritization processes.
User Protection
- Evaluate whether Android devices used within the organization are updated to the latest OS version to mitigate CVE-2025-48595.
Security Awareness
- Consider educating system administrators on the importance of prioritizing KEV catalog vulnerabilities as part of standard vulnerability management practices.
