CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its Known Exploited Vulnerabilities (KEV) Catalog to reflect active exploitation of a previously patched BeyondTrust remote code execution flaw, CVE-2026-1731 (CVSS 9.9), which has now been tied to ransomware activity. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in identity/privileged access paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access.
Separately, CISA also announced the addition of two Roundcube Webmail vulnerabilities to the KEV Catalog based on evidence of active exploitation: CVE-2025-49113 (deserialization of untrusted data) and CVE-2025-68461 (cross-site scripting). CISA reiterated that under BOD 22-01, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
Related Entities
Vulnerabilities
Affected Products
Sources
Related Stories
CISA Adds Actively Exploited Roundcube Webmail Vulnerabilities to KEV Catalog
CISA added two **Roundcube Webmail** vulnerabilities to its **Known Exploited Vulnerabilities (KEV)** catalog, citing evidence of **active exploitation**: **CVE-2025-49113** (CVSS 9.9), a deserialization issue enabling **authenticated remote code execution** due to improper validation of the `_from` URL parameter in `program/actions/settings/upload.php`, and **CVE-2025-68461** (CVSS 7.2), an **XSS** flaw involving the `animate` tag in an SVG document. CISA directed U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate by **2026-03-13**, and advised applying vendor mitigations per guidance (or discontinuing use if mitigations are unavailable). The KEV repository updates for **2026-02-20** reflect both Roundcube entries, including mappings to **CWE-502** (deserialization) and **CWE-79** (XSS) and links to Roundcube advisories/releases. Reporting also noted that researchers observed rapid attacker uptake of CVE-2025-49113 after disclosure, including claims that attackers quickly “diffed and weaponized” the bug and that exploit access was offered for sale shortly after. Separate reporting about **BeyondTrust Remote Support/Privileged Remote Access** (**CVE-2026-1731**) describes a different KEV addition and is not part of the Roundcube event.
3 weeks ago
CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk
CISA’s *Known Exploited Vulnerabilities (KEV) Catalog* continued to expand with newly confirmed in-the-wild exploitation, including the addition of **four CVEs**: `CVE-2019-19006` (Sangoma FreePBX improper authentication), `CVE-2021-39935` (GitLab CE/EE SSRF), `CVE-2025-40551` (SolarWinds Web Help Desk deserialization of untrusted data), and `CVE-2025-64328` (Sangoma FreePBX OS command injection). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors. Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across **59 instances in 2025**, CISA updated KEV entries to reflect **ransomware-associated exploitation** without proactively notifying defenders when the “known ransomware use” flag changed from *Unknown* to *Known*, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a **critical KiloView Encoder Series** issue, `CVE-2026-1453` (CVSS **9.8**), caused by **missing authentication for critical functions** that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.
1 months ago
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
1 months ago