CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk
CISA’s Known Exploited Vulnerabilities (KEV) Catalog continued to expand with newly confirmed in-the-wild exploitation, including the addition of four CVEs: CVE-2019-19006 (Sangoma FreePBX improper authentication), CVE-2021-39935 (GitLab CE/EE SSRF), CVE-2025-40551 (SolarWinds Web Help Desk deserialization of untrusted data), and CVE-2025-64328 (Sangoma FreePBX OS command injection). Under BOD 22-01, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors.
Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across 59 instances in 2025, CISA updated KEV entries to reflect ransomware-associated exploitation without proactively notifying defenders when the “known ransomware use” flag changed from Unknown to Known, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a critical KiloView Encoder Series issue, CVE-2026-1453 (CVSS 9.8), caused by missing authentication for critical functions that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
GreyNoise publicly criticizes CISA's silent KEV ransomware updates
GreyNoise researcher Glenn Thorpe publicly criticized CISA for changing ransomware-exploitation status in the KEV catalog without clearly alerting defenders. Reporting highlighted that 39% of vulnerabilities later confirmed as used in ransomware had been in KEV since 2022 or earlier, with delays ranging from 1 to 1,353 days.
CISA adds four actively exploited vulnerabilities to KEV catalog
CISA added four vulnerabilities affecting Sangoma FreePBX, GitLab Community and Enterprise Editions, and SolarWinds Web Help Desk to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The agency said Federal Civilian Executive Branch agencies must remediate them under Binding Operational Directive 22-01 by specified deadlines.
GreyNoise publishes RSS feed for KEV ransomware-status changes
In response to the silent KEV catalog changes, GreyNoise launched an hourly updated RSS feed to alert defenders when a vulnerability's ransomware-use status changes. The feed was presented as a way to improve visibility into CISA's catalog updates.
CISA silently flips ransomware status on 59 KEV entries during 2025
Throughout 2025, CISA updated 59 vulnerabilities in its Known Exploited Vulnerabilities catalog from ransomware-use status 'unknown' to 'known' without separate defender notifications. GreyNoise said these changes were materially important for patching and mitigation prioritization, with many affected flaws tied to Microsoft, Ivanti, Fortinet, Palo Alto Networks, and Zimbra products.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Five for Friday: February 6, 2026 - Sherpa Intelligence
sherpaintelligence.substack.com
Open sourceExpert says CISA silently fixing bugs could be a problem | SC Media
scworld.com
Open sourceCISA quietly updated ransomware flags on 59 flaws last year • The Register
go.theregister.com
Open sourceCISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA KEV Updates and New Enrichment Tooling for Vulnerability Prioritization
CISA’s **Known Exploited Vulnerabilities (KEV)** program continues to be used as an operational prioritization mechanism for vulnerabilities with confirmed exploitation, but recent analysis cautions it is often misunderstood as a definitive list of the “worst” vulnerabilities. A paper by former CISA KEV section chief Tod Beardsley describes how enrichment signals (e.g., **CVSS**, **EPSS**, **SSVC**, public exploit availability in *Metasploit*/*Nuclei*, and **MITRE ATT&CK** mappings) can be combined to better triage KEV entries, and introduces *KEV Collider*, a free web app/dataset intended to help teams explore and validate enriched KEV data; one highlighted finding is that only **~32%** of KEV-listed vulnerabilities are “immediately exploitable for initial access.” CISA also added two vulnerabilities to the KEV catalog due to **active exploitation**: **CVE-2026-24423** (SmarterTools *SmarterMail*) and **CVE-2025-11953** (*React Native Community CLI*). CVE-2026-24423 is described as an unauthenticated **RCE** tied to a missing authentication check in the `ConnectToHub` API method in SmarterMail builds prior to **9511**, enabling command execution by coercing the server to connect to a malicious HTTP endpoint; build **9511** was released to remediate, and ransomware activity has reportedly targeted exposed instances. CVE-2025-11953 is described as unauthenticated OS command injection via the Metro dev server (notably when bound to external interfaces), with reporting of exploitation activity involving PowerShell-based loaders and defense evasion; U.S. federal agencies are directed under **BOD 22-01** to remediate by the stated KEV deadline, and other organizations are advised to patch/upgrade and reduce exposure (e.g., bind Metro to localhost) while monitoring for suspicious PowerShell and related post-exploitation behavior.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026
CISA Updates Known Exploited Vulnerabilities Catalog With New Entries Including Dell RecoverPoint Hard-Coded Credentials
CISA updated its **Known Exploited Vulnerabilities (KEV) Catalog** with additional vulnerabilities confirmed as exploited in the wild, reinforcing patch/mitigation urgency under **BOD 22-01** timelines. The KEV print catalog shows the addition of **CVE-2026-22769** affecting **Dell RecoverPoint for Virtual Machines (RP4VMs)**, described as a *use of hard-coded credentials* issue that could allow an **unauthenticated remote attacker** to gain unauthorized access to the underlying OS and establish **root-level persistence**; CISA’s entry points to Dell advisories/remediation guidance and third-party reporting on active exploitation. A corresponding update to CISA’s public *kev-data* repository reflects the routine publication of refreshed KEV data files and includes multiple KEV rows (e.g., **CVE-2024-7694** in *TeamT5 ThreatSonar Anti-Ransomware* for unrestricted file upload leading to command execution with admin privileges on the platform, and legacy items such as **CVE-2008-0015** in Microsoft Windows Video ActiveX Control). The KEV print view also lists other exploited items such as **CVE-2021-22175** in **GitLab** (SSRF when internal-network webhook requests are enabled), underscoring that the catalog update spans multiple vendors and vulnerability classes and should be treated as an operational patching priority.
Mar 21, 2026