CISA Adds Actively Exploited Vulnerabilities to the Known Exploited Vulnerabilities Catalog
CISA updated its Known Exploited Vulnerabilities (KEV) Catalog after identifying evidence of active exploitation in the wild, reinforcing that organizations should prioritize remediation under BOD 22-01 timelines (for FCEB agencies) and as a broader risk-reduction measure for all enterprises. One update added CVE-2025-68613 affecting n8n, described as an improper control of dynamically-managed code resources issue, and CISA emphasized that KEV entries represent vulnerabilities being leveraged by threat actors.
Separate KEV-related reporting described additional catalog additions tied to active exploitation, including CVE-2026-1603 (Ivanti Endpoint Manager) described as an authentication bypass with potential exposure of credential data (fixed in EPM 2024 SU5), CVE-2025-26399 (SolarWinds Web Help Desk) described as a critical deserialization/RCE issue in AjaxProxy (fixed in WHD 12.8.7 HF1), and CVE-2021-22054 (Omnissa/VMware Workspace ONE) described as an SSRF. Additional coverage also highlighted CISA’s KEV addition of multiple Apple vulnerabilities—CVE-2023-43000, CVE-2023-41974 (both use-after-free), and CVE-2021-30952 (integer overflow)—impacting macOS/iOS/iPadOS and related platforms, with exploitation reported as active and patching urged to reduce risk of arbitrary code execution and elevated privileges.
Timeline
May 1, 2026
CISA adds Linux Kernel flaw CVE-2026-31431 to KEV
On 2026-05-01, CISA added CVE-2026-31431, an incorrect resource transfer between spheres vulnerability in the Linux Kernel, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said vulnerabilities of this type are frequently used by malicious cyber actors, pose significant risk to the federal enterprise, and should be prioritized for remediation under BOD 22-01.
Apr 24, 2026
CISA adds four new vulnerabilities to KEV catalog
On 2026-04-24, CISA added four vulnerabilities affecting Samsung MagicINFO 9 Server, SimpleHelp, and the D-Link DIR-823X to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the path traversal, missing authorization, and command injection flaws are common attack vectors that pose significant risk to the federal enterprise and urged timely remediation under BOD 22-01.
Apr 23, 2026
CISA adds Marimo flaw CVE-2026-39987 to KEV
On 2026-04-23, CISA added CVE-2026-39987, a remote code execution vulnerability affecting Marimo, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under Binding Operational Directive 22-01.
Apr 22, 2026
CISA adds Microsoft Defender flaw CVE-2026-33825 to KEV
On 2026-04-22, CISA added CVE-2026-33825, an insufficient granularity of access control vulnerability affecting Microsoft Defender, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under Binding Operational Directive 22-01.
Apr 20, 2026
CISA adds eight new vulnerabilities to KEV catalog
On 2026-04-20, CISA added eight vulnerabilities affecting PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaws are common attack vectors that pose significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
Apr 16, 2026
CISA adds Apache ActiveMQ flaw CVE-2026-34197 to KEV
On 2026-04-16, CISA added CVE-2026-34197, an improper input validation vulnerability affecting Apache ActiveMQ, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under BOD 22-01.
Apr 14, 2026
CISA adds Microsoft Office and SharePoint flaws to KEV
On 2026-04-14, CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2009-0238, a Microsoft Office remote code execution flaw, and CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server. CISA said both were actively exploited and urged prioritized remediation under Binding Operational Directive 22-01.
Apr 13, 2026
CISA adds seven new vulnerabilities to KEV catalog
On 2026-04-13, CISA added seven vulnerabilities affecting Microsoft Visual Basic for Applications, Adobe Acrobat, Microsoft Exchange Server, Microsoft Windows, Fortinet products, and Adobe Acrobat and Reader to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaws are common attack vectors that pose significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
Apr 8, 2026
CISA adds Ivanti EPMM flaw CVE-2026-1340 to KEV
On 2026-04-08, CISA added CVE-2026-1340, a code injection vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw presents significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
Apr 6, 2026
CISA adds Fortinet FortiClient EMS flaw CVE-2026-35616 to KEV
On 2026-04-06, CISA added CVE-2026-35616, an improper access control vulnerability affecting Fortinet FortiClient EMS, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw presents significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
Apr 1, 2026
CISA adds Google Dawn flaw CVE-2026-5281 to KEV
On 2026-04-01, CISA added CVE-2026-5281, a Google Dawn use-after-free vulnerability, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
Mar 27, 2026
CISA adds F5 BIG-IP flaw CVE-2025-53521 to KEV
On 2026-03-27, CISA added CVE-2025-53521, a remote code execution vulnerability affecting F5 BIG-IP, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA warned the flaw poses significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
Mar 26, 2026
CISA adds Aqua Security Trivy flaw CVE-2026-33634 to KEV
On 2026-03-26, CISA added CVE-2026-33634, an Aqua Security Trivy Embedded Malicious Code vulnerability, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA said the flaw is a frequent attack vector that poses significant risk to the federal enterprise and urged prioritized remediation.
Mar 25, 2026
CISA adds Langflow code injection flaw CVE-2026-33017 to KEV
On 2026-03-25, CISA added CVE-2026-33017, a code injection vulnerability affecting Langflow, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
Mar 19, 2026
CISA adds Cisco firewall management flaw CVE-2026-20131 to KEV
On 2026-03-19, CISA added CVE-2026-20131, a deserialization of untrusted data vulnerability affecting Cisco Secure Firewall Management Center and Cisco Security Cloud Control Firewall Management, to the KEV catalog. CISA said the flaw was under active exploitation and posed significant risk to the federal enterprise.
Mar 18, 2026
CISA adds Synacor Zimbra XSS flaw CVE-2025-66376 to KEV
On 2026-03-18, CISA added CVE-2025-66376, a cross-site scripting vulnerability affecting Synacor Zimbra Collaboration Suite, to the KEV catalog. The agency said the flaw was actively exploited and should be prioritized for remediation.
Mar 16, 2026
CISA adds Wing FTP Server vulnerability CVE-2025-47813 to KEV
On 2026-03-16, CISA added CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server, to the KEV catalog after evidence of active exploitation emerged. CISA warned that the issue presented significant risk to federal agencies and urged timely patching.
Mar 13, 2026
CISA adds Google Skia and Chromium V8 flaws to KEV
On 2026-03-13, CISA added CVE-2026-3909, a Google Skia out-of-bounds write vulnerability, and CVE-2026-3910, a Google Chromium V8 vulnerability, to the KEV catalog. The agency said both were being actively exploited and required prompt remediation.
Mar 11, 2026
CISA adds n8n vulnerability CVE-2025-68613 to KEV
On 2026-03-11, CISA added CVE-2025-68613, an improper control of dynamically managed code resources vulnerability affecting n8n, to the KEV catalog after evidence of active exploitation. CISA said the flaw posed significant risk to the federal enterprise and required remediation under BOD 22-01.
Mar 9, 2026
CISA adds Ivanti, SolarWinds, and Omnissa flaws to KEV catalog
By 2026-03-09, CISA had added three vulnerabilities to the KEV catalog based on active exploitation evidence: CVE-2026-1603 in Ivanti Endpoint Manager, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2021-22054 in Omnissa Workspace ONE. The listed issues included authentication bypass, unauthenticated remote code execution, and SSRF risks.
Mar 5, 2026
CISA adds three Apple vulnerabilities to KEV catalog
On 2026-03-05, CISA added three actively exploited Apple vulnerabilities affecting macOS, iOS, iPadOS, Safari, and related platforms to its Known Exploited Vulnerabilities catalog. The flaws included two use-after-free issues and one integer overflow issue that could lead to memory corruption, arbitrary code execution, and in one case kernel-privileged code execution.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Sources
5 more from sources like cisa advisories
Related Stories
CISA Adds Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti EPM Flaws to KEV Catalog
CISA added three vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2021-22054** (Omnissa *Workspace ONE UEM* / formerly VMware Workspace ONE UEM, **SSRF**), **CVE-2025-26399** (SolarWinds *Web Help Desk*, **deserialization of untrusted data** in `AjaxProxy` enabling command execution), and **CVE-2026-1603** (Ivanti *Endpoint Manager (EPM)*, **authentication bypass**). CISA reiterated that KEV-listed issues are common intrusion vectors and that Federal Civilian Executive Branch (FCEB) agencies must remediate per **BOD 22-01** deadlines, while strongly urging all organizations to prioritize patching/mitigation of KEV entries as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the 2026-03-09 catalog release, increasing the catalog count and adding records for the newly listed CVEs, including short descriptions, required actions, and remediation due dates (e.g., **2026-03-23** for CVE-2021-22054 and **2026-03-12** for CVE-2025-26399). Separate reporting about CISA warning on exploited **Apple** vulnerabilities (macOS/iOS/iPadOS/Safari) describes a different set of CVEs and does not align with the KEV additions in this alert.
1 months ago
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
1 months ago