CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation: CVE-2008-0015 (Microsoft Windows Video ActiveX Control RCE), CVE-2020-7796 (Synacor Zimbra Collaboration Suite SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), CVE-2024-7694 (TeamT5 ThreatSonar Anti-Ransomware unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and CVE-2026-2441 (Google Chromium CSS use-after-free). Under BOD 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management.
CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including CVE-2020-7796 and CVE-2024-7694 with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as CVSS, EPSS, and observed exploit tooling to drive patch sequencing.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
TeamT5 says customers migrated off vulnerable ThreatSonar versions
TeamT5 later stated that affected customers had already migrated away from vulnerable ThreatSonar Anti-Ransomware versions. The company also said it had improved its secure development lifecycle and security processes in response.
CISA sets March 10 remediation deadline for newly added KEV flaws
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the four newly added KEV vulnerabilities by 2026-03-10. CISA also urged all organizations to prioritize mitigation or discontinue use if mitigations were unavailable.
CISA adds four vulnerabilities to the KEV catalog
CISA updated its Known Exploited Vulnerabilities catalog on February 17, 2026, adding four CVEs: CVE-2008-0015, CVE-2020-7796, CVE-2024-7694, and CVE-2026-2441. The catalog version changed from 2026.02.13 to 2026.02.17 and the total listed vulnerabilities increased from 1518 to 1522.
Google fixes Chromium zero-day CVE-2026-2441 in Chrome 145.0.7632.75
Google released a fix for CVE-2026-2441 in Chrome versions prior to 145.0.7632.75, according to reporting on the KEV update. The patch addressed the actively exploited CSS use-after-free issue in Chromium.
Google discloses active exploitation of Chromium CVE-2026-2441
Google stated that an exploit for Chromium CSS use-after-free vulnerability CVE-2026-2441 exists in the wild. The flaw affects Chromium-based browsers and was described as an actively exploited zero-day.
GreyNoise observes exploitation cluster targeting Zimbra SSRF flaw
GreyNoise reported a March 2025 exploitation cluster involving roughly 400 IP addresses targeting SSRF vulnerabilities, including Zimbra Collaboration Suite flaw CVE-2020-7796, across multiple countries. The activity provided evidence of in-the-wild exploitation later cited in reporting on the KEV addition.
Microsoft documents exploitation of Windows Video ActiveX flaw CVE-2008-0015
Microsoft documented that CVE-2008-0015 in the Windows Video ActiveX Control was exploited to download additional malware and had been used to deliver the Dogkild worm. This establishes long-standing real-world exploitation of the flaw later added to CISA's KEV catalog.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Updated CISA vulnerabilities catalog adds Chrome, Zimbra, Windows, ThreatSonar flaws | SC Media
scworld.com
Open sourceU.S. CISA adds Google Chromium CSS, Microsoft Windows, TeamT5 ThreatSonar Anti-Ransomware, and Zimbra flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Flags Four Security Flaws Under Active Exploitation in Latest KEV Update
thehackernews.com
Open sourceCISA adds four vulnerabilities to KEV Catalog- Feb 17, 2026 - TheCyberThrone
thecyberthrone.in
Open sourceAdd Updated KEV Files for 2026-02-17 · cisagov/kev-data@4448c2f · GitHub
github.com
Open sourceCISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
Mar 21, 2026CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
Mar 26, 2026
CISA Updates KEV Catalog as Research Questions How KEV Should Be Prioritized
**CISA added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: `CVE-2026-21510`, `CVE-2026-21513`, `CVE-2026-21514`, `CVE-2026-21519`, `CVE-2026-21525`, and `CVE-2026-21533` (including a Windows Remote Desktop Services elevation-of-privilege issue). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged non-federal organizations to similarly prioritize remediation given KEV vulnerabilities’ frequent use as attack vectors. Separately, researchers published an analysis of the **KEV catalog’s composition and operational value**, arguing that KEV inclusion is often misinterpreted as “most severe” rather than “known exploited with a mitigation path.” The paper reports that only **~32% of KEV entries are immediately exploitable for initial access**, and that many KEV vulnerabilities are not remotely exploitable or require authentication, reinforcing the need for context-driven prioritization. The accompanying free tool, **KEV Collider**, enriches KEV entries with signals such as **CVSS, EPSS, SSVC, Metasploit, Nuclei, and MITRE ATT&CK mappings** to help security teams triage remediation and detection work under resource constraints.
Mar 21, 2026