CISA Adds Actively Exploited Adobe Commerce and Microsoft WSUS Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2025-54236, an improper input validation flaw in Adobe Commerce and Magento, and CVE-2025-59287, a deserialization of untrusted data vulnerability in Microsoft Windows Server Update Service (WSUS). These vulnerabilities have been confirmed as being exploited in the wild, prompting CISA to require Federal Civilian Executive Branch (FCEB) agencies to remediate them under Binding Operational Directive (BOD) 22-01. CISA also strongly urges all organizations to prioritize patching these vulnerabilities to reduce exposure to cyberattacks.
Security researchers have observed widespread exploitation of the Adobe Commerce vulnerability, dubbed "SessionReaper," with over 250 attacks detected in a 24-hour period targeting e-commerce sites via the REST API. Attackers have used this flaw to hijack customer accounts and deploy PHP webshells, while only 38% of affected stores have reportedly applied the available emergency patch. The Microsoft WSUS vulnerability allows unauthorized remote code execution via network exploitation, further increasing the risk to unpatched systems. Both vulnerabilities are considered critical, with public exploit details available, underscoring the urgency for immediate remediation.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
CISA adds Microsoft WSUS and Adobe Commerce/Magento flaws to KEV catalog
CISA added two vulnerabilities affecting Microsoft Windows Server Update Services and Adobe Commerce/Magento Open Source to its Known Exploited Vulnerabilities catalog, indicating they had been observed exploited in the wild. The action required federal civilian agencies to remediate the flaws by CISA's prescribed deadline under Binding Operational Directive 22-01.
Sources
3 references tracked. Mallory keeps watching after this page renders.
CISA adds Magento and WSUS bugs to KEV Catalog
thecyberthrone.in
Open sourceCISA Adds Two Known Exploited Vulnerabilities to Catalog
cisa.gov
Open sourceU.S. CISA adds Microsoft WSUS, and Adobe Commerce and Magento Open Source flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Adobe Commerce Session Hijack Flaw Added to KEV After Active Exploitation
Adobe released an out-of-band fix for **CVE-2025-54236**, a critical improper input validation flaw in **Adobe Commerce**, **Adobe Commerce B2B**, and **Magento Open Source** that allows unauthenticated attackers to take over user sessions through vulnerable session-handling and Web API components. The bug, dubbed **"SessionReaper"** by Sansec, carries a reported **CVSS 9.1** rating and can lead to account hijacking, exposure of customer data, fraudulent orders, administrative access, and in some scenarios potentially remote code execution. Affected releases span multiple 2.4.x branches, including versions from **2.4.4 through 2.4.7** and other listed builds and earlier releases. Security guidance escalated after reports said the flaw was being actively exploited in the wild and added to **CISA's Known Exploited Vulnerabilities** catalog. Adobe published remediation details in **APSB25-88** and shipped patched versions, while defenders were urged to apply the vendor fix immediately, verify patch status, review logs for anomalous session activity, tighten administrative access, and increase **WAF**, API, and **SIEM** monitoring. Advisories also warned that leaked hotfix details and unofficial fixes could accelerate attacker weaponization or create additional risk.
May 16, 2026
CISA Adds Multiple Actively Exploited Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding seven high-impact vulnerabilities that are currently being exploited in the wild. This update includes critical flaws affecting Oracle E-Business Suite, Mozilla Firefox, Thunderbird, SeaMonkey, Microsoft Windows, Microsoft Internet Explorer, the Linux Kernel, and Microsoft Windows privilege escalation mechanisms. Among the most severe is CVE-2025-61882, a remotely exploitable vulnerability in Oracle E-Business Suite’s BI Publisher Integration, which allows unauthenticated attackers to compromise the Oracle Concurrent Processing component via HTTP. This flaw, rated CVSS 9.8, has been actively exploited in ransomware campaigns, notably by the Cl0p ransomware group, leading to data theft and potential remote code execution. Oracle responded by releasing an emergency patch for affected versions 12.2.3 through 12.2.14, and organizations are urged to apply this fix immediately and monitor for suspicious HTTP traffic targeting BI Publisher endpoints. Another addition, CVE-2010-3765, is a memory corruption vulnerability in Mozilla products, including Firefox, Thunderbird, and SeaMonkey, which can be exploited via JavaScript to execute arbitrary code. This flaw has been leveraged by the "Belmoo" malware in real-world attacks. Microsoft vulnerabilities added to the catalog include CVE-2011-3402, a TrueType font parsing flaw in the Windows kernel (win32k.sys) that enables remote code execution through malicious font files, and CVE-2010-3962, an uninitialized memory corruption issue in Internet Explorer. CVE-2013-3918, another Microsoft Windows vulnerability, was originally used in the 2009 Aurora attack and later repurposed by the EQUATION group to target government users in Afghanistan. The Linux Kernel vulnerability CVE-2021-22555, a heap out-of-bounds write, and CVE-2021-43226, a Windows privilege escalation flaw, are also included due to their active exploitation and potential for significant impact. CISA’s KEV catalog serves as a critical resource for organizations, highlighting vulnerabilities that require urgent attention due to their exploitation in real-world attacks. Federal agencies are mandated to address these vulnerabilities within a defined timeframe under Binding Operational Directive (BOD) 22-01. The inclusion of both recent and older vulnerabilities underscores the persistent risk posed by unpatched systems, as threat actors continue to exploit legacy flaws alongside newly discovered ones. Security experts emphasize the importance of immediate patching, robust monitoring, and comprehensive vulnerability management to mitigate the risks associated with these actively exploited vulnerabilities. The update reflects ongoing efforts by CISA to enhance the security posture of federal and enterprise environments by ensuring that known exploited vulnerabilities are promptly addressed. Organizations are advised to review the KEV catalog regularly, prioritize remediation of listed vulnerabilities, and implement additional security controls where patching is not immediately feasible. The addition of these vulnerabilities highlights the evolving threat landscape and the need for continuous vigilance against both new and longstanding security weaknesses. CISA’s proactive approach aims to reduce the attack surface and limit the opportunities for threat actors to compromise critical infrastructure. The agency’s guidance is particularly relevant for entities operating Oracle E-Business Suite, Microsoft products, and Linux systems, given the active exploitation of these platforms. The KEV catalog update serves as a call to action for all organizations to assess their exposure and take decisive steps to protect their assets from ongoing cyber threats.
Mar 21, 2026
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses. Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor **Storm-1175** used `CVE-2023-21529` to deliver **Medusa ransomware**, while `CVE-2023-27351` has been linked to **Lace Tempest** deployments of **Cl0p** and **LockBit**. Defused Cyber also reported exploitation attempts against `CVE-2026-21643`, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
Apr 29, 2026