CISA Adds Actively Exploited Qualcomm and VMware Aria Operations Vulnerabilities to KEV Catalog
CISA updated its Known Exploited Vulnerabilities (KEV) Catalog to add two CVEs based on evidence of active exploitation: CVE-2026-21385 (Qualcomm Multiple Chipsets memory corruption) and CVE-2026-22719 (Broadcom VMware Aria Operations command injection). The KEV entry for CVE-2026-22719 notes the issue can allow an unauthenticated attacker to execute arbitrary commands, potentially leading to remote code execution during support-assisted product migration; CVE-2026-21385 is described as a memory corruption flaw related to memory allocation alignment across multiple Qualcomm chipsets.
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA’s specified due dates; the KEV catalog update reflects an increase in total entries (from 1529 to 1531) and sets a remediation due date of 2026-03-24 for CVE-2026-22719. CISA emphasized that while BOD 22-01 applies to FCEB agencies, all organizations should prioritize remediation of KEV-listed vulnerabilities as part of vulnerability management due to their frequent use as attack vectors.
Timeline
Mar 3, 2026
CISA sets March 24 remediation deadline for newly added KEV entries
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate CVE-2026-21385 and CVE-2026-22719 by 2026-03-24. CISA also urged all organizations to prioritize mitigation of the two actively exploited vulnerabilities.
Mar 3, 2026
CISA adds Qualcomm and VMware flaws to the KEV catalog
On 2026-03-03, CISA added CVE-2026-21385 affecting multiple Qualcomm chipsets and CVE-2026-22719 affecting Broadcom VMware Aria Operations to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The KEV catalog total increased from 1,529 to 1,531 entries.
Feb 24, 2026
Broadcom provides workaround for unpatched VMware Aria Operations systems
Alongside its advisory, Broadcom made a temporary mitigation script available to disable vulnerable migration-related components for customers unable to patch immediately. Reporting also identified fixed releases including Aria Operations 8.18.6 and 9.0.2.
Feb 24, 2026
Broadcom discloses and patches VMware Aria Operations flaw CVE-2026-22719
On 2026-02-24, Broadcom disclosed CVE-2026-22719 in VMware Aria Operations via advisory VMSA-2026-0001 and released patches. The command injection flaw can allow unauthenticated arbitrary command execution, potentially leading to remote code execution during support-assisted product migration.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Threat Actors
Organizations
Sources
4 more from sources like dark reading, cisa kev data commits, bleeping computer and cisa advisories
Related Stories
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
1 months agoCISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
1 months ago