June 2026 Enterprise Mobile Security Patches: iOS, Android, and MDM Platform Updates
June 2026 brings two critical iOS WebKit vulnerabilities confirmed as actively exploited, a significant Bluetooth stack CVE in Android's June Security Bulletin, and a privilege escalation fix in BlackBerry UEM 12.21.1. This roundup covers urgency ratings and deployment guidance for each platform.
Summary: June 2026 Patch Urgency at a Glance
| Platform | Release | CVEs Addressed | Urgency |
|---|---|---|---|
| Apple iOS / iPadOS | 17.5.2 | 2 (both actively exploited) | Emergency |
| Android (Google) | 2026-06-05 SPL | 42 (1 Critical — Bluetooth) | High |
| BlackBerry UEM | 12.21.1 | 1 (privilege escalation) | Moderate-High |
| Microsoft Intune | 2406.1 | 0 security CVEs (bug fixes) | Routine |
| VMware Workspace ONE | VMSA-2026-0012 | 2 (Medium severity) | Routine |
| Samsung Knox SMR | June 2026 SMR | Includes Android June + Knox-specific | High |
iOS 17.5.2 — Two Actively Exploited WebKit Zero-Days
Apple released iOS 17.5.2 on June 3, 2026, addressing two memory corruption vulnerabilities in WebKit — the browser engine used by Safari and all third-party web views on iOS. Both vulnerabilities were assigned Critical severity.
CVE-2026-23222 is a type confusion vulnerability in WebKit's JavaScript engine that allows an attacker to achieve remote code execution by directing a user to a maliciously crafted web page. Processing the page triggers the type confusion condition in JavaScript array handling, leading to arbitrary code execution in the browser process context.
The vulnerability was reported to Apple by security researchers who observed it being exploited in targeted attacks against high-value individuals prior to Apple's public disclosure.
CVE-2026-23223 is a use-after-free vulnerability in WebKit's rendering engine triggered by malicious HTML content. It is distinct from CVE-2026-23222 but was being exploited in conjunction with it in the observed attack chains — the two vulnerabilities were chained to achieve reliable code execution followed by sandbox escape. Apple confirmed both CVEs have been exploited in the wild.
Deploy iOS 17.5.2 via MDM Software Update policy within 72 hours on all supervised corporate devices. Override any active 90-day deferral policy for this specific update. CISA KEV listing makes this mandatory for US federal agencies within the standard 3-day KEV remediation window.
Enterprise IT teams managing iOS devices via BlackBerry UEM should create an emergency Software Updates policy targeting iOS 17.5.2 or later with an Immediately schedule and assign it to all managed iOS device groups. In Microsoft Intune, set a compliance policy condition for iOS minimum OS version 17.5.2 and combine it with a Conditional Access policy to block non-compliant devices from accessing corporate resources after a 3-day grace period.
The Rapid Security Response that preceded iOS 17.5.2 partially addressed CVE-2026-23222 for iOS 17.5.1 devices, but iOS 17.5.2 provides the complete fix for both CVEs.
Android June 2026 Security Bulletin — Critical Bluetooth CVE
Google's June 2026 Android Security Bulletin, published on June 1, 2026, discloses 42 CVEs across AOSP, Qualcomm, MediaTek, and kernel components. The most significant is CVE-2026-24019, a critical remote code execution vulnerability in the Android Bluetooth stack.
CVE-2026-24019 (CVSS 9.1) is a heap buffer overflow in the BlueZ Bluetooth protocol stack that affects Android devices running Android 12 through Android 15. The vulnerability can be triggered by a proximity attacker — no user interaction is required beyond having Bluetooth enabled on the target device. An attacker within Bluetooth range sends a malformed L2CAP packet that triggers the overflow condition, potentially achieving remote code execution in the Bluetooth daemon process.
Google notes that exploitation requires the attacker to be within physical Bluetooth range (typically 10 to 30 meters) and that Bluetooth must be active on the target device. This limits mass-exploitation scenarios but makes the vulnerability significant in targeted attack contexts such as airports, conference venues, and shared office environments.
The full 2026-06-05 patch level is required to receive the CVE-2026-24019 fix. The partial 2026-06-01 level covers AOSP components but does not include the Bluetooth stack fix, which is bundled in the kernel and vendor-specific patch components of the full level. Enterprise compliance policies should enforce the 2026-06-05 full patch level rather than accepting the 2026-06-01 partial level for June.
Samsung Galaxy devices receive the June 2026 fix through the monthly SMR released during the first week of June. The SMR includes all Google bulletin CVEs plus two Samsung-specific Knox patches: one addressing a race condition in Knox Workspace initialization (medium severity) and one correcting an information disclosure in the Dual Messenger feature (low severity, no corporate data exposure).
For enterprise-managed Samsung fleets, the Samsung Knox Service Plugin (KSP) for Intune or the Samsung integration in BlackBerry UEM allows enforcing the minimum Knox SMR patch level via compliance profile.
BlackBerry UEM 12.21.1 — Connectivity Node Privilege Escalation
BlackBerry released UEM 12.21.1 on June 5, 2026, addressing CVE-2026-30041, a local privilege escalation vulnerability in the BlackBerry Connectivity Node service component. The Connectivity Node is the UEM component that proxies device connections to the BlackBerry Infrastructure NOC and handles the directory service bridge between the UEM server and Active Directory.
CVE-2026-30041 (CVSS 7.8) allows a local authenticated user account on the Windows Server host running the UEM Connectivity Node service to escalate privileges to SYSTEM. The vulnerability is in the service's interaction with a writable file path during a diagnostic log rotation event — an attacker with local access can exploit a race condition in the log rotation to plant a DLL that executes as SYSTEM when the service restarts.
Exploitation requires both local user access to the UEM host and the ability to write to the target path, which in a properly hardened UEM deployment (dedicated server, no general-purpose user accounts) is not trivially achievable. BlackBerry notes no evidence of exploitation in the wild.
The upgrade path to UEM 12.21.1 from 12.21.0 follows the standard UEM patch update process: download the 12.21.1 installer from the BlackBerry software download portal, run the Setup Application on the UEM server host, and follow the upgrade wizard. Database schema changes in 12.21.1 are minimal (two index additions for diagnostic performance), and the upgrade completes in approximately 20 to 40 minutes depending on database size.
The management console is unavailable during the upgrade window. For UEM installations running versions earlier than 12.21.0, upgrading directly to 12.21.1 is supported; the 12.21.1 installer performs a full version upgrade rather than a patch-only install.
Microsoft Intune 2406.1 — No Security CVEs, One Enrollment Fix
Microsoft's Intune service update 2406.1, deployed to cloud tenants on June 10, 2026, contains no security vulnerability fixes. The release corrects a regression introduced in the May 2026 update (2405.2) that caused Android Enterprise fully managed device enrollment failures on Google Pixel 8 devices running Android 15 QPR1. Affected tenants observed enrollment errors with the code 0xCAA9001F during the work profile provisioning phase.
The regression was caused by an incompatibility between Intune's enrollment workflow and a change in the Android 15 QPR1 MDM provisioning API response format. The 2406.1 update corrects the parsing logic.
Intune 2406.1 also adds compliance policy support for enforcing iOS 17.5.x minimum build version in the OS version compliance condition — previously, the Minimum OS version condition accepted only major.minor version strings, preventing enforcement of specific security patches within a minor version family. Administrators can now specify a build string (for example, "21F79" for iOS 17.5.2) in addition to the version number.
This capability is particularly useful for enforcing the iOS 17.5.2 mandate given the critical WebKit CVEs addressed in that release.
VMware Workspace ONE — VMSA-2026-0012 (Medium Severity)
VMware published VMSA-2026-0012 on June 8, 2026, addressing two vulnerabilities in the Workspace ONE UEM management console. CVE-2026-22010 (CVSS 6.1) is a reflected cross-site scripting (XSS) vulnerability in the console's device search functionality — an attacker with access to a user's browser session could craft a malicious URL that executes JavaScript in the context of the logged-in user's session.
The vulnerability requires the attacker to social-engineer a console user into clicking a malicious link while authenticated, which limits practical exploitability but introduces phishing risk in environments where console access is shared broadly.
CVE-2026-22011 (CVSS 5.3) is an information disclosure vulnerability in the Workspace ONE REST API — certain authenticated API endpoints returned verbose error responses that included internal path names and configuration details. This information could assist an attacker who already has API authentication credentials in mapping the internal architecture of the Workspace ONE deployment.
Cloud-hosted Workspace ONE UEM deployments received automatic patches for both CVEs on June 9, 2026. On-premises deployments should apply the patch bundle available through the VMware Customer Connect portal in the next scheduled maintenance window. Neither vulnerability has a published proof-of-concept exploit or evidence of active exploitation.
Frequently Asked Questions
June 2026 Patch FAQ
Is iOS 17.5.2 a mandatory update for enterprise iOS deployments in June 2026?
Yes. iOS 17.5.2 patches two WebKit vulnerabilities confirmed as actively exploited in the wild. CISA added both CVEs to the Known Exploited Vulnerabilities catalog. Enterprise MDM administrators should deploy iOS 17.5.2 as an emergency patch, targeting completion within 72 hours of release for all corporate-supervised devices. Override any active 90-day deferral policy for this specific update.
Which BlackBerry UEM version addresses the June 2026 Connectivity Node vulnerability?
BlackBerry UEM 12.21.1 addresses CVE-2026-30041. Administrators running UEM 12.21.0 or earlier 12.x versions should upgrade to 12.21.1. The vulnerability requires local access to the UEM server to exploit, reducing remote attack risk for properly hardened deployments, but the upgrade is still recommended within the next scheduled maintenance window.
What is the June 2026 Android Security Patch Level date?
The full June 2026 Android Security Patch Level is 2026-06-05, covering all CVEs in the June bulletin including the critical Bluetooth stack fix. The partial 2026-06-01 level covers AOSP components only and does not include the Bluetooth fix. Enterprise compliance policies should enforce the 2026-06-05 full patch level.
Does the June 2026 Android Bluetooth CVE affect Samsung Knox devices?
Yes. CVE-2026-24019 affects Android 12 through 15, including Samsung Galaxy models. Samsung's June 2026 SMR includes the patch for all Galaxy models still under active security maintenance. Galaxy models that have exited Samsung's monthly SMR lifecycle will not receive the fix — these devices should be identified and tracked for hardware replacement.
What Microsoft Intune changes shipped in the June 2026 update?
Intune 2406.1 contains no security CVEs. It corrects a Pixel 8 enrollment regression from the May update and adds compliance policy support for iOS 17.5.x minimum build version enforcement — useful for mandating the iOS 17.5.2 security update via compliance policy.
How should teams handle iOS 17.5.2 deployment if the UEM policy defers updates by 90 days?
Create an emergency Software Update policy targeting iOS 17.5.2 or later with an Immediately schedule in BlackBerry UEM, overriding the deferral for this specific version. In Intune, use a Feature Update ring configuration with the target build set to 17.5.2 and a 1-day deadline, combined with a compliance policy marking older versions as non-compliant to trigger Conditional Access enforcement.
What is the urgency level for the June 2026 VMware Workspace ONE advisory?
VMSA-2026-0012 is Medium severity — two vulnerabilities with CVSS scores of 6.1 and 5.3. Cloud-hosted Workspace ONE was patched automatically on June 9. On-premises deployments should apply the patch in the next scheduled maintenance window. Neither vulnerability has a known public exploit.
What is the recommended patch deployment order for enterprise IT in June 2026?
Priority 1 (emergency, within 72 hours): iOS 17.5.2 on all supervised corporate iOS devices. Priority 2 (within 7 days): Android June 2026-06-05 SPL enforcement via compliance policy; BlackBerry UEM upgrade to 12.21.1. Priority 3 (next maintenance window): VMware Workspace ONE on-premises VMSA-2026-0012 patch. Priority 4 (verify): Confirm Intune 2406.1 enrollment fix for any Pixel 8 fleets affected by the May regression.