CISA Adds GitLab SSRF and Dell RP4VM Hard-coded Credentials to KEV Catalog
CISA added two actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2021-22175 (a GitLab server-side request forgery (SSRF) issue related to enabling internal-network requests for webhooks) and CVE-2026-22769 (a Dell RecoverPoint for Virtual Machines (RP4VMs) vulnerability involving hard-coded credentials that can enable unauthenticated access to the underlying OS and root-level persistence). Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation of KEV-listed issues as part of vulnerability management.
CISA’s public KEV data repository was updated to reflect the new catalog release (catalog count increasing from 1522 to 1524) and to include the new entries with their remediation deadlines (GitLab due 2026-03-11; Dell RP4VMs due 2026-02-21). Separate commentary and guidance from industry media emphasized using KEV as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability and impact context (e.g., access prerequisites, remote control potential) and combine KEV with other signals such as CVSS, EPSS, and exploit/tooling intelligence to drive patch sequencing.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA sets federal remediation deadlines for the two KEV entries
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the newly listed vulnerabilities by specific deadlines. Agencies were ordered to fix the Dell RecoverPoint flaw by 2026-02-21 and the GitLab flaw by 2026-03-11.
CISA adds GitLab and Dell flaws to the KEV catalog
On February 18, 2026, CISA added CVE-2021-22175, a GitLab SSRF vulnerability, and CVE-2026-22769, a Dell RecoverPoint for Virtual Machines hard-coded credentials flaw, to its Known Exploited Vulnerabilities Catalog based on evidence of active exploitation. The KEV catalog total increased from 1522 to 1524 entries.
Dell releases fixes and mitigation guidance for CVE-2026-22769
Dell released patches and mitigation guidance for the hard-coded credentials flaw CVE-2026-22769 in RecoverPoint for Virtual Machines after receiving reports of limited active exploitation. The fix preceded CISA's later KEV action and federal remediation order.
UNC6201 begins exploiting Dell RecoverPoint zero-day
Google Mandiant reported that suspected PRC-linked cluster UNC6201 had been exploiting Dell RecoverPoint for Virtual Machines vulnerability CVE-2026-22769 since at least mid-2024. The activity involved unauthorized access to VMware backup systems, lateral movement, persistence, and deployment of malware including SLAYSTYLE, BRICKSTORM, and GRIMBOLT.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
CISA gives feds 3 days to patch actively exploited Dell bug • The Register
go.theregister.com
Open sourceU.S. CISA adds Dell RecoverPoint and GitLab flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceAdd Updated KEV Files for 2026-02-18 · cisagov/kev-data@bfc8399 · GitHub
github.com
Open sourceCISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Updates Known Exploited Vulnerabilities Catalog With New Entries Including Dell RecoverPoint Hard-Coded Credentials
CISA updated its **Known Exploited Vulnerabilities (KEV) Catalog** with additional vulnerabilities confirmed as exploited in the wild, reinforcing patch/mitigation urgency under **BOD 22-01** timelines. The KEV print catalog shows the addition of **CVE-2026-22769** affecting **Dell RecoverPoint for Virtual Machines (RP4VMs)**, described as a *use of hard-coded credentials* issue that could allow an **unauthenticated remote attacker** to gain unauthorized access to the underlying OS and establish **root-level persistence**; CISA’s entry points to Dell advisories/remediation guidance and third-party reporting on active exploitation. A corresponding update to CISA’s public *kev-data* repository reflects the routine publication of refreshed KEV data files and includes multiple KEV rows (e.g., **CVE-2024-7694** in *TeamT5 ThreatSonar Anti-Ransomware* for unrestricted file upload leading to command execution with admin privileges on the platform, and legacy items such as **CVE-2008-0015** in Microsoft Windows Video ActiveX Control). The KEV print view also lists other exploited items such as **CVE-2021-22175** in **GitLab** (SSRF when internal-network webhook requests are enabled), underscoring that the catalog update spans multiple vendors and vulnerability classes and should be treated as an operational patching priority.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026
CISA Updates KEV Catalog as Research Questions How KEV Should Be Prioritized
**CISA added six Microsoft vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: `CVE-2026-21510`, `CVE-2026-21513`, `CVE-2026-21514`, `CVE-2026-21519`, `CVE-2026-21525`, and `CVE-2026-21533` (including a Windows Remote Desktop Services elevation-of-privilege issue). Under **Binding Operational Directive (BOD) 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged non-federal organizations to similarly prioritize remediation given KEV vulnerabilities’ frequent use as attack vectors. Separately, researchers published an analysis of the **KEV catalog’s composition and operational value**, arguing that KEV inclusion is often misinterpreted as “most severe” rather than “known exploited with a mitigation path.” The paper reports that only **~32% of KEV entries are immediately exploitable for initial access**, and that many KEV vulnerabilities are not remotely exploitable or require authentication, reinforcing the need for context-driven prioritization. The accompanying free tool, **KEV Collider**, enriches KEV entries with signals such as **CVSS, EPSS, SSVC, Metasploit, Nuclei, and MITRE ATT&CK mappings** to help security teams triage remediation and detection work under resource constraints.
Mar 21, 2026