Skip to main content
Mallory

CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws

government-vulnerability-catalogactively-exploited-vulnerabilitywidely-deployed-product-advisoryransomware-group-operation
Updated April 29, 2026 at 10:01 AM7 sources
Share:
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws

Get Ahead of Threats Like This

Know if you're exposed. Before adversaries strike.

CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses.

Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor Storm-1175 used CVE-2023-21529 to deliver Medusa ransomware, while CVE-2023-27351 has been linked to Lace Tempest deployments of Cl0p and LockBit. Defused Cyber also reported exploitation attempts against CVE-2026-21643, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.

Timeline

  1. Apr 29, 2026

    CISA adds ScreenConnect and Windows flaws to the KEV catalog

    On April 29, 2026, CISA added CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The update signaled ongoing risk from unpatched self-hosted ScreenConnect systems and required federal agencies to remediate under Binding Operational Directive 22-01 timelines.

  2. Apr 21, 2026

    CISA adds eight more actively exploited flaws to the KEV catalog

    On April 21, 2026, CISA expanded the KEV catalog with eight additional vulnerabilities affecting PaperCut, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager. The agency set remediation deadlines spanning April to May 2026 for federal agencies and urged private organizations to prioritize patching.

  3. Apr 14, 2026

    CISA adds six exploited flaws to the KEV catalog

    On April 14, 2026, CISA added six vulnerabilities affecting Fortinet, Adobe, and Microsoft products to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. Federal Civilian Executive Branch agencies were ordered to remediate the listed flaws by April 27, 2026.

  4. Apr 14, 2026

    Storm-1175 uses CVE-2023-21529 to deliver Medusa ransomware

    Microsoft said threat actor Storm-1175 exploited CVE-2023-21529 in Microsoft Exchange Server to deliver Medusa ransomware. This attribution was cited when CISA later added the flaw to the KEV catalog.

  5. Mar 24, 2026

    Exploitation attempts against CVE-2026-21643 observed

    Defused Cyber reported exploitation attempts targeting CVE-2026-21643 beginning on March 24, 2026. The activity affected Fortinet FortiClient EMS and contributed to later KEV catalog action.

  6. Dec 1, 2025

    Akamai links Windows exploit chain to APT28 attacks in Europe and Ukraine

    Akamai said the exploit chain involving CVE-2026-21510 and CVE-2026-21513, with CVE-2026-32202 stemming from an incomplete patch, was used in APT28 attacks targeting Ukraine and E.U. countries. The activity was described as ongoing since December 2025, adding new attribution and technical context beyond CISA's KEV listing.

  7. Jan 1, 2023

    Lace Tempest linked to exploitation of PaperCut flaw CVE-2023-27351

    CVE-2023-27351 in PaperCut NG/MF was previously associated with Lace Tempest activity deploying Cl0p and LockBit ransomware. The reference cites this prior criminal use as context for CISA's later KEV addition.

  8. Jan 1, 2012

    Microsoft acknowledges targeted attacks exploiting CVE-2012-1854

    Microsoft previously said CVE-2012-1854 in Visual Basic for Applications had been used in limited targeted attacks. This establishes that the flaw was exploited in the wild long before its 2026 KEV inclusion.

See the full picture in Mallory

Mallory subscribers get deeper analysis on every story, including:

Impact Assessment

Who’s affected and how

Technical Details

Deep-dive technical analysis

Response Recommendations

Actionable next steps for your team

Indicators of Compromise

IPs, domains, hashes, and more

AI Threads

Ask questions and take action on every story

Advanced Filters

Filter by topic, classification, timeframe

Scheduled Alerts

Get matching stories delivered automatically

Related Entities

Vulnerabilities

ConnectWise ScreenConnect Path Traversal (CVE-2024-1708)ConnectWise ScreenConnect Authentication Bypass (CVE-2024-1709)Windows Shell zero-click authentication coercion / spoofing vulnerability (CVE-2026-32202)Windows Shell SmartScreen and Security Prompt Bypass via Malicious LNK/Link (CVE-2026-21510)MSHTML Framework Security Feature Bypass via Malicious HTML or LNK Files (CVE-2026-21513)Authentication Bypass in PaperCut NG/MF SecurityRequestFilter (CVE-2023-27351)Authenticated Path Traversal and Arbitrary File Upload RCE in Kentico Xperience Staging Sync Server (CVE-2025-2749)Authentication Bypass in Quest KACE Systems Management Appliance SSO (CVE-2025-32975)JetBrains TeamCity Relative Path Traversal (CVE-2024-27199)Zero-click XSS in Zimbra Collaboration Classic UI (CVE-2025-48700)Cisco Catalyst SD-WAN Manager API Arbitrary File Overwrite Privilege Escalation (CVE-2026-20122)Cisco Catalyst SD-WAN Manager DCA Credential Disclosure / Recoverable Password Storage (CVE-2026-20128)Cisco Catalyst SD-WAN Manager Sensitive Information Disclosure via API (CVE-2026-20133)Visual Basic for Applications Insecure Library Loading Vulnerability (CVE-2012-1854)Privilege Escalation in Host Process for Windows Tasks Link Following (CVE-2025-60710)Microsoft Exchange Server Deserialization of Untrusted Data RCE (CVE-2023-21529)Use-After-Free RCE in Adobe Acrobat (CVE-2020-9715)Windows Common Log File System Driver Out-of-Bounds Read Privilege Escalation (CVE-2023-36424)SQL Injection in Fortinet FortiClient EMS 7.4.4 (CVE-2026-21643)JetBrains TeamCity Authentication Bypass (CVE-2024-27198)

Threat Actors

Storm-1175APT28Lace Tempest

Malware

MedusaClopLockBit

Organizations

Microsoft CorporationConnectwiseAkamai TechnologiesQuest SoftwareCisco SystemsSynacorPaperCut SoftwareJetbrainsKentico SoftwareFortinetAdobeDefused CyberDefused CyberThe Cyber Express

Affected Products

Zimbra Collaboration SuiteKace Systems Management ApplianceXperienceTeamcityCatalyst SD-WAN ManagerAcrobat ReaderVisual Basic For ApplicationsExchange ServerWindows Common Log File System DriverForticlient Ems

Sources

the hacker news
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
April 29, 2026 at 08:46 AM
cyberthrone
CISA adds Two vulnerabilities to KEV catalog - TheCyberThrone
April 29, 2026 at 12:00 AM
security affairs
U.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog
April 21, 2026 at 09:21 AM
thecyberexpress com vulnerabilities
CISA Adds 8 Flaws To KEV Catalog, Cisco Catalyst Included
April 21, 2026 at 08:30 AM
help net security
CISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133) - Help Net Security
April 21, 2026 at 12:00 AM

2 more from sources like cyberthrone and the hacker news

Related Stories

CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog

CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six new vulnerabilities that are currently being exploited in the wild. This update includes five vulnerabilities announced on October 14, 2025, and one additional vulnerability added on October 15, 2025. The vulnerabilities affect a range of widely used products, including Microsoft Windows, Rapid7 Velociraptor, SKYSEA Client View, IGEL OS, and Adobe Experience Manager. Among the most critical is CVE-2025-24990, an elevation of privilege flaw in the Agere Modem driver bundled with all Windows releases, which allows local attackers to gain SYSTEM-level access through untrusted pointer dereference. Microsoft addressed this issue by removing the vulnerable driver in the October 2025 Patch Tuesday update, though this may impact dependent hardware. Another significant vulnerability is CVE-2025-54253, a code execution flaw in Adobe Experience Manager Forms, which has been confirmed as actively exploited and poses a substantial risk to federal and enterprise environments. The Rapid7 Velociraptor vulnerability (CVE-2025-6264) involves incorrect default permissions, potentially allowing unauthorized access or privilege escalation. SKYSEA Client View is affected by an improper authentication vulnerability (CVE-2016-7836), while IGEL OS faces a risk from the use of expired cryptographic keys (CVE-2025-47827). Additionally, Microsoft Windows is impacted by an improper access control vulnerability (CVE-2025-59230). CISA’s KEV Catalog serves as a critical resource for tracking vulnerabilities that are confirmed to be exploited in real-world attacks, and federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines. CISA strongly encourages all organizations, not just federal agencies, to prioritize patching these vulnerabilities to reduce exposure to active cyber threats. The addition of these vulnerabilities underscores the ongoing risk posed by unpatched systems and the importance of timely remediation. CISA’s public alerts emphasize that these vulnerabilities are not theoretical and are being leveraged by malicious actors in current attack campaigns. The agency’s updates are based on evidence of active exploitation, highlighting the need for immediate action by security teams. Organizations are advised to consult the KEV Catalog regularly and integrate its findings into their vulnerability management processes. The removal of the Agere Modem driver by Microsoft demonstrates a decisive response to mitigate risk, though it may have operational impacts for some users. The inclusion of vulnerabilities across diverse platforms indicates that attackers are targeting a broad range of technologies. CISA’s ongoing updates to the KEV Catalog reflect its commitment to providing actionable intelligence to protect both federal and private sector networks. The agency’s guidance is clear: prompt remediation of known exploited vulnerabilities is essential to defend against active threats.

1 months ago
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog

CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog

CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.

1 months ago
CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk

CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk

CISA’s *Known Exploited Vulnerabilities (KEV) Catalog* continued to expand with newly confirmed in-the-wild exploitation, including the addition of **four CVEs**: `CVE-2019-19006` (Sangoma FreePBX improper authentication), `CVE-2021-39935` (GitLab CE/EE SSRF), `CVE-2025-40551` (SolarWinds Web Help Desk deserialization of untrusted data), and `CVE-2025-64328` (Sangoma FreePBX OS command injection). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors. Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across **59 instances in 2025**, CISA updated KEV entries to reflect **ransomware-associated exploitation** without proactively notifying defenders when the “known ransomware use” flag changed from *Unknown* to *Known*, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a **critical KiloView Encoder Series** issue, `CVE-2026-1453` (CVSS **9.8**), caused by **missing authentication for critical functions** that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.

1 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed. Before adversaries strike.