CISA Updates KEV Catalog as Research Questions How KEV Should Be Prioritized
CISA added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2026-21510, CVE-2026-21513, CVE-2026-21514, CVE-2026-21519, CVE-2026-21525, and CVE-2026-21533 (including a Windows Remote Desktop Services elevation-of-privilege issue). Under Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged non-federal organizations to similarly prioritize remediation given KEV vulnerabilities’ frequent use as attack vectors.
Separately, researchers published an analysis of the KEV catalog’s composition and operational value, arguing that KEV inclusion is often misinterpreted as “most severe” rather than “known exploited with a mitigation path.” The paper reports that only ~32% of KEV entries are immediately exploitable for initial access, and that many KEV vulnerabilities are not remotely exploitable or require authentication, reinforcing the need for context-driven prioritization. The accompanying free tool, KEV Collider, enriches KEV entries with signals such as CVSS, EPSS, SSVC, Metasploit, Nuclei, and MITRE ATT&CK mappings to help security teams triage remediation and detection work under resource constraints.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Researchers publish KEV analysis paper and release KEV Collider tool
Researchers led by former CISA KEV Section Chief Tod Beardsley published a paper analyzing the KEV catalog and introduced the free KEV Collider tool to help defenders prioritize KEV-listed vulnerabilities. The work adds exploitability and operational context to KEV entries and argues that only a minority of KEV items are immediately exploitable for initial access, challenging assumptions about the catalog.
CISA adds six Microsoft vulnerabilities to KEV catalog
CISA added six Microsoft-related CVEs affecting Windows Shell, MSHTML, Office Word, and Remote Desktop Services to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency said the flaws pose significant risk and required Federal Civilian Executive Branch agencies to remediate them under Binding Operational Directive 22-01.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026
CISA KEV Updates and New Enrichment Tooling for Vulnerability Prioritization
CISA’s **Known Exploited Vulnerabilities (KEV)** program continues to be used as an operational prioritization mechanism for vulnerabilities with confirmed exploitation, but recent analysis cautions it is often misunderstood as a definitive list of the “worst” vulnerabilities. A paper by former CISA KEV section chief Tod Beardsley describes how enrichment signals (e.g., **CVSS**, **EPSS**, **SSVC**, public exploit availability in *Metasploit*/*Nuclei*, and **MITRE ATT&CK** mappings) can be combined to better triage KEV entries, and introduces *KEV Collider*, a free web app/dataset intended to help teams explore and validate enriched KEV data; one highlighted finding is that only **~32%** of KEV-listed vulnerabilities are “immediately exploitable for initial access.” CISA also added two vulnerabilities to the KEV catalog due to **active exploitation**: **CVE-2026-24423** (SmarterTools *SmarterMail*) and **CVE-2025-11953** (*React Native Community CLI*). CVE-2026-24423 is described as an unauthenticated **RCE** tied to a missing authentication check in the `ConnectToHub` API method in SmarterMail builds prior to **9511**, enabling command execution by coercing the server to connect to a malicious HTTP endpoint; build **9511** was released to remediate, and ransomware activity has reportedly targeted exposed instances. CVE-2025-11953 is described as unauthenticated OS command injection via the Metro dev server (notably when bound to external interfaces), with reporting of exploitation activity involving PowerShell-based loaders and defense evasion; U.S. federal agencies are directed under **BOD 22-01** to remediate by the stated KEV deadline, and other organizations are advised to patch/upgrade and reduce exposure (e.g., bind Metro to localhost) while monitoring for suspicious PowerShell and related post-exploitation behavior.
Mar 21, 2026
CISA Adds GitLab SSRF and Dell RP4VM Hard-coded Credentials to KEV Catalog
CISA added **two actively exploited vulnerabilities** to its Known Exploited Vulnerabilities (KEV) Catalog: **CVE-2021-22175** (a **GitLab** server-side request forgery (SSRF) issue related to enabling internal-network requests for webhooks) and **CVE-2026-22769** (a **Dell RecoverPoint for Virtual Machines (RP4VMs)** vulnerability involving **hard-coded credentials** that can enable unauthenticated access to the underlying OS and **root-level persistence**). Under **BOD 22-01**, Federal Civilian Executive Branch (FCEB) agencies are required to remediate by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation of KEV-listed issues as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (catalog count increasing from **1522** to **1524**) and to include the new entries with their remediation deadlines (GitLab due **2026-03-11**; Dell RP4VMs due **2026-02-21**). Separate commentary and guidance from industry media emphasized using KEV as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability and impact context (e.g., access prerequisites, remote control potential) and combine KEV with other signals such as **CVSS**, **EPSS**, and exploit/tooling intelligence to drive patch sequencing.
Mar 21, 2026