CISA Flags Actively Exploited Vulnerabilities as KEV Adds Expand to BeyondTrust and Roundcube
CISA updated its Known Exploited Vulnerabilities (KEV) Catalog to reflect active exploitation of a previously patched BeyondTrust remote code execution flaw, CVE-2026-1731 (CVSS 9.9), which has now been tied to ransomware activity. Reporting also cited third-party telemetry indicating an increase in exploitation attempts, and emphasized that because BeyondTrust commonly sits in identity/privileged access paths, successful RCE can rapidly translate into broad enterprise compromise; recommended mitigations included immediate patching and, if patching is not immediately possible, taking the affected portal offline or tightly restricting access.
Separately, CISA also announced the addition of two Roundcube Webmail vulnerabilities to the KEV Catalog based on evidence of active exploitation: CVE-2025-49113 (deserialization of untrusted data) and CVE-2025-68461 (cross-site scripting). CISA reiterated that under BOD 22-01, U.S. Federal Civilian Executive Branch agencies must remediate KEV-listed issues by mandated deadlines, and urged all organizations to prioritize remediation of KEV entries as a high-signal indicator of real-world exploitation risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CISA adds two RoundCube vulnerabilities to KEV catalog
On 2026-02-20, CISA added RoundCube Webmail vulnerabilities CVE-2025-49113 and CVE-2025-68461 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. CISA said the flaws pose significant risk and required federal agencies to remediate them by the specified deadlines under BOD 22-01.
Unit 42 reports increased exploitation of BeyondTrust flaw
Also on 2026-02-19, Palo Alto Networks Unit 42 reported increased exploitation activity targeting the BeyondTrust vulnerability CVE-2026-1731. Security experts warned that compromise of BeyondTrust products could provide attackers broad privileged access because of their role in identity and access infrastructure.
CISA flags BeyondTrust CVE-2026-1731 as exploited in ransomware attacks
On 2026-02-19, CISA updated its Known Exploited Vulnerabilities catalog to note that CVE-2026-1731 in BeyondTrust is being exploited in ransomware attacks. The update indicated the flaw had moved from general exploitation to confirmed ransomware use.
BeyondTrust patches critical RCE flaw CVE-2026-1731
BeyondTrust released a patch for CVE-2026-1731 on 2026-02-06. The critical vulnerability, rated CVSS 9.9, allows unauthenticated remote code execution via specially crafted requests if left unpatched.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Actively Exploited Roundcube Webmail Vulnerabilities to KEV Catalog
CISA added two **Roundcube Webmail** vulnerabilities to its **Known Exploited Vulnerabilities (KEV)** catalog, citing evidence of **active exploitation**: **CVE-2025-49113** (CVSS 9.9), a deserialization issue enabling **authenticated remote code execution** due to improper validation of the `_from` URL parameter in `program/actions/settings/upload.php`, and **CVE-2025-68461** (CVSS 7.2), an **XSS** flaw involving the `animate` tag in an SVG document. CISA directed U.S. Federal Civilian Executive Branch (FCEB) agencies to remediate by **2026-03-13**, and advised applying vendor mitigations per guidance (or discontinuing use if mitigations are unavailable). The KEV repository updates for **2026-02-20** reflect both Roundcube entries, including mappings to **CWE-502** (deserialization) and **CWE-79** (XSS) and links to Roundcube advisories/releases. Reporting also noted that researchers observed rapid attacker uptake of CVE-2025-49113 after disclosure, including claims that attackers quickly “diffed and weaponized” the bug and that exploit access was offered for sale shortly after. Separate reporting about **BeyondTrust Remote Support/Privileged Remote Access** (**CVE-2026-1731**) describes a different KEV addition and is not part of the Roundcube event.
Mar 21, 2026
CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk
CISA’s *Known Exploited Vulnerabilities (KEV) Catalog* continued to expand with newly confirmed in-the-wild exploitation, including the addition of **four CVEs**: `CVE-2019-19006` (Sangoma FreePBX improper authentication), `CVE-2021-39935` (GitLab CE/EE SSRF), `CVE-2025-40551` (SolarWinds Web Help Desk deserialization of untrusted data), and `CVE-2025-64328` (Sangoma FreePBX OS command injection). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors. Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across **59 instances in 2025**, CISA updated KEV entries to reflect **ransomware-associated exploitation** without proactively notifying defenders when the “known ransomware use” flag changed from *Unknown* to *Known*, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a **critical KiloView Encoder Series** issue, `CVE-2026-1453` (CVSS **9.8**), caused by **missing authentication for critical functions** that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.
Mar 21, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
Mar 21, 2026