CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2008-0015 (Microsoft Windows Video ActiveX Control RCE), CVE-2020-7796 (Synacor Zimbra Collaboration Suite SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and CVE-2026-2441 (Google Chromium CSS use-after-free). Under BOD 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management.
CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including CVE-2020-7796 and CVE-2024-7694 with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as CVSS, EPSS, and observed exploit tooling to drive patch sequencing.
Timeline
Feb 18, 2026
TeamT5 says customers migrated off vulnerable ThreatSonar versions
TeamT5 later stated that affected customers had already migrated away from vulnerable ThreatSonar Anti-Ransomware versions. The company also said it had improved its secure development lifecycle and security processes in response.
Feb 17, 2026
CISA sets March 10 remediation deadline for newly added KEV flaws
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the four newly added KEV vulnerabilities by 2026-03-10. CISA also urged all organizations to prioritize mitigation or discontinue use if mitigations were unavailable.
Feb 17, 2026
CISA adds four vulnerabilities to the KEV catalog
CISA updated its Known Exploited Vulnerabilities catalog on February 17, 2026, adding four CVEs: CVE-2008-0015, CVE-2020-7796, CVE-2024-7694, and CVE-2026-2441. The catalog version changed from 2026.02.13 to 2026.02.17 and the total listed vulnerabilities increased from 1518 to 1522.
Feb 17, 2026
Google fixes Chromium zero-day CVE-2026-2441 in Chrome 145.0.7632.75
Google released a fix for CVE-2026-2441 in Chrome versions prior to 145.0.7632.75, according to reporting on the KEV update. The patch addressed the actively exploited CSS use-after-free issue in Chromium.
Feb 17, 2026
Google discloses active exploitation of Chromium CVE-2026-2441
Google stated that an exploit for Chromium CSS use-after-free vulnerability CVE-2026-2441 exists in the wild. The flaw affects Chromium-based browsers and was described as an actively exploited zero-day.
Mar 1, 2025
GreyNoise observes exploitation cluster targeting Zimbra SSRF flaw
GreyNoise reported a March 2025 exploitation cluster involving roughly 400 IP addresses targeting SSRF vulnerabilities, including Zimbra Collaboration Suite flaw CVE-2020-7796, across multiple countries. The activity provided evidence of in-the-wild exploitation later cited in reporting on the KEV addition.
Jan 8, 2008
Microsoft documents exploitation of Windows Video ActiveX flaw CVE-2008-0015
Microsoft documented that CVE-2008-0015 in the Windows Video ActiveX Control was exploited to download additional malware and had been used to deliver the Dogkild worm. This establishes long-standing real-world exploitation of the flaw later added to CISA's KEV catalog.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Malware
Organizations
Sources
1 more from sources like cisa advisories
Related Stories
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
1 months agoCISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
1 months ago
CISA Updates KEV Catalog as Research Questions How KEV Should Be Prioritized
**CISA added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: `CVE-2026-21510`, `CVE-2026-21513`, `CVE-2026-21514`, `CVE-2026-21519`, `CVE-2026-21525`, and `CVE-2026-21533` (including a Windows Remote Desktop Services elevation-of-privilege issue). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged non-federal organizations to similarly prioritize remediation given KEV vulnerabilities’ frequent use as attack vectors. Separately, researchers published an analysis of the **KEV catalog’s composition and operational value**, arguing that KEV inclusion is often misinterpreted as “most severe” rather than “known exploited with a mitigation path.” The paper reports that only **~32% of KEV entries are immediately exploitable for initial access**, and that many KEV vulnerabilities are not remotely exploitable or require authentication, reinforcing the need for context-driven prioritization. The accompanying free tool, **KEV Collider**, enriches KEV entries with signals such as **CVSS, EPSS, SSVC, Metasploit, Nuclei, and MITRE ATT&CK mappings** to help security teams triage remediation and detection work under resource constraints.
1 months ago