CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are CVE-2018-14634 (Linux kernel integer overflow / local privilege escalation), CVE-2025-52691 (SmarterTools SmarterMail unrestricted file upload enabling RCE), CVE-2026-21509 (Microsoft Office security feature bypass), CVE-2026-23760 (SmarterTools SmarterMail authentication bypass via alternate path/channel), and CVE-2026-24061 (GNU InetUtils argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments.
Under BOD 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that CVE-2025-52691 can enable unauthenticated arbitrary file upload leading to remote code execution (noted as CVSS 10.0 in the reporting) and that CVE-2018-14634, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
Timeline
Jan 27, 2026
CISA adds Fortinet CVE-2026-24858 to the KEV catalog
CISA added CVE-2026-24858, an authentication bypass using an alternate path or channel affecting multiple Fortinet products, to the Known Exploited Vulnerabilities catalog. The listing indicated evidence of active exploitation and elevated risk to federal networks.
Jan 26, 2026
CISA sets February 16 remediation deadline for the five new KEV entries
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the five newly listed KEV vulnerabilities by February 16, 2026. CISA also urged all organizations to prioritize patching because of evidence of active exploitation.
Jan 26, 2026
CISA adds five exploited vulnerabilities to the KEV catalog
CISA added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2018-14634, CVE-2025-52691, CVE-2026-23760, CVE-2026-21509, and CVE-2026-24061. The issues affected the Linux kernel, SmarterTools SmarterMail, Microsoft Office, and GNU InetUtils.
Jan 1, 2026
Microsoft issues out-of-band updates for exploited Office zero-day
Microsoft released out-of-band updates for CVE-2026-21509, a Microsoft Office security feature bypass being actively exploited. The company said exploitation required a user to open a malicious Office file and that the Preview Pane was not an attack vector.
Jan 1, 2025
SmarterMail file-upload flaw is publicly warned on by Singapore CSA
Singapore's Cyber Security Agency warned about SmarterTools SmarterMail CVE-2025-52691, describing it as a maximum-severity issue that could enable unauthenticated arbitrary file upload and remote code execution. It recommended upgrading from Build 9406 and earlier to Build 9413.
Oct 17, 2018
Linux kernel privilege-escalation flaw CVE-2018-14634 is disclosed
Qualys disclosed CVE-2018-14634, a Linux kernel integer overflow/local privilege-escalation vulnerability later nicknamed "Mutagen Astronomy." The flaw affected multiple kernel branches and allowed an unprivileged local user to gain root privileges.
Mar 19, 2015
GNU InetUtils telnetd flaw is introduced in source code
A commit on March 19, 2015 introduced the code path that later became CVE-2026-24061 in GNU InetUtils telnetd. The bug enabled argument injection that could lead to authentication bypass and root compromise in affected versions.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Sources
1 more from sources like cisa alerts
Related Stories
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
1 months ago
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
1 months ago
CISA KEV Updates and New Enrichment Tooling for Vulnerability Prioritization
CISA’s **Known Exploited Vulnerabilities (KEV)** program continues to be used as an operational prioritization mechanism for vulnerabilities with confirmed exploitation, but recent analysis cautions it is often misunderstood as a definitive list of the “worst” vulnerabilities. A paper by former CISA KEV section chief Tod Beardsley describes how enrichment signals (e.g., **CVSS**, **EPSS**, **SSVC**, public exploit availability in *Metasploit*/*Nuclei*, and **MITRE ATT&CK** mappings) can be combined to better triage KEV entries, and introduces *KEV Collider*, a free web app/dataset intended to help teams explore and validate enriched KEV data; one highlighted finding is that only **~32%** of KEV-listed vulnerabilities are “immediately exploitable for initial access.” CISA also added two vulnerabilities to the KEV catalog due to **active exploitation**: **CVE-2026-24423** (SmarterTools *SmarterMail*) and **CVE-2025-11953** (*React Native Community CLI*). CVE-2026-24423 is described as an unauthenticated **RCE** tied to a missing authentication check in the `ConnectToHub` API method in SmarterMail builds prior to **9511**, enabling command execution by coercing the server to connect to a malicious HTTP endpoint; build **9511** was released to remediate, and ransomware activity has reportedly targeted exposed instances. CVE-2025-11953 is described as unauthenticated OS command injection via the Metro dev server (notably when bound to external interfaces), with reporting of exploitation activity involving PowerShell-based loaders and defense evasion; U.S. federal agencies are directed under **BOD 22-01** to remediate by the stated KEV deadline, and other organizations are advised to patch/upgrade and reduce exposure (e.g., bind Metro to localhost) while monitoring for suspicious PowerShell and related post-exploitation behavior.
1 months ago