CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that BOD 22-01 requires fixes by mandated due dates. The newly added KEVs are CVE-2017-7921 (Hikvision improper authentication), CVE-2021-22681 (Rockwell insufficiently protected credentials), and three Apple issues: CVE-2021-30952 (integer overflow/wraparound), CVE-2023-41974 (iOS/iPadOS use-after-free), and CVE-2023-43000 (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations.
CISA’s public kev-data repository reflects the same update, increasing the catalog count from 1531 to 1536 and recording a remediation due date of 2026-03-26 for at least CVE-2017-7921 (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
Nuclei adds detection templates for five KEV flaws in Fortinet, SonicWall, and Qlik
A ProjectDiscovery pull request added Nuclei detection templates for five CISA KEV-listed vulnerabilities affecting Fortinet FortiOS, SonicWall SonicOS, SonicWall SMA 1000, and Qlik Sense Enterprise. The reference says the flaws are actively exploited, including by ransomware groups such as Akira, Fog, and Cactus, and that the templates are detection-only without exploit payloads.
Researchers link March 20 Apple KEV flaws to DarkSword exploit kit
Researchers from Google Threat Intelligence Group, iVerify, and Lookout reported that the three Apple vulnerabilities added by CISA to KEV on March 20, 2026 were linked to the DarkSword iOS exploit kit used to deliver malware. The same reporting also tied the Craft CMS flaw to in-the-wild exploitation documented by Orange Cyberdefense and associated the Laravel Livewire flaw with attacks by the Iran-linked MuddyWater APT group.
CISA sets April 3 deadline for federal remediation of March 20 KEV additions
Following the March 20, 2026 addition of five Apple, Craft CMS, and Laravel Livewire vulnerabilities to the KEV catalog, CISA required Federal Civilian Executive Branch agencies to remediate them by April 3, 2026 under BOD 22-01. The action formalized the federal response to the newly listed actively exploited flaws.
CISA adds five more exploited flaws affecting Apple, Craft CMS, and Laravel
On March 20, 2026, CISA announced another KEV catalog expansion, adding five newly exploited vulnerabilities affecting Apple multiple products, Craft CMS, and Laravel Livewire. The listed issues included buffer overflow, improper locking, and code injection flaws.
Google links Apple iOS flaws to Coruna exploit kit activity
Google Threat Intelligence Group attributed exploitation of some Apple vulnerabilities later added to CISA's KEV catalog to the Coruna (aka CryptoWaters) iOS exploit kit. GTIG said the kit targeted iPhones running iOS 13.0 through 17.2.1 and was used first in targeted campaigns and later more broadly by multiple tracked clusters.
CISA sets March 26 deadline for federal remediation of March 5 KEV additions
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the five vulnerabilities added on March 5 by March 26, 2026. CISA also urged non-federal organizations to prioritize remediation of the newly listed KEV items.
CISA KEV catalog update raises total listed vulnerabilities to 1,536
CISA's KEV data repository was updated from catalog version 2026.03.04 to 2026.03.05, increasing the total number of listed vulnerabilities from 1,531 to 1,536. The update reflected the five newly added Apple, Hikvision, and Rockwell entries.
CISA adds five Apple, Hikvision, and Rockwell flaws to KEV
On March 5, 2026, CISA added five actively exploited vulnerabilities affecting Apple products, Hikvision IP cameras, and Rockwell Automation products to its Known Exploited Vulnerabilities catalog. The additions included improper authentication, insufficiently protected credentials, integer overflow, and use-after-free issues.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
Add 5 KEV CVE templates (Fortinet, SonicWall, Qlik Sense) by ElromEvedElElyon · Pull Request #15698 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceAdd 5 KEV CVE templates (WebLogic, Plex, Nagios XI, Pi-hole, Roundcube) by ElromEvedElElyon · Pull Request #15700 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceAdd 5 KEV CVE templates (Pulse Secure, Cisco IP Phone, SAP CRM) by ElromEvedElElyon · Pull Request #15701 · projectdiscovery/nuclei-templates · GitHub
github.com
Open sourceU.S. CISA adds Apple, Laravel Livewire and Craft CMS flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds Five Flaws to Its KEV Catalog - TheCyberThrone
thecyberthrone.in
Open sourceCISA Adds Five Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceAdd Updated KEV Files for 2026-03-05 · cisagov/kev-data@15ded9b · GitHub
github.com
Open sourceAdd Updated KEV Files for 2026-03-05 · cisagov/kev-data@5e2843e · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, reinforcing that these issues are being used as real-world attack vectors and should be prioritized for remediation. The newly listed CVEs are **CVE-2018-14634** (Linux kernel integer overflow / local privilege escalation), **CVE-2025-52691** (SmarterTools *SmarterMail* unrestricted file upload enabling RCE), **CVE-2026-21509** (Microsoft Office security feature bypass), **CVE-2026-23760** (SmarterTools *SmarterMail* authentication bypass via alternate path/channel), and **CVE-2026-24061** (GNU *InetUtils* argument injection). CISA reiterated that these vulnerability classes are frequently leveraged by threat actors and pose material risk to enterprise environments. Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed vulnerabilities by CISA-specified due dates, and CISA urged all organizations to treat KEV entries as high-priority items in vulnerability management. Additional technical context highlighted that **CVE-2025-52691** can enable unauthenticated arbitrary file upload leading to **remote code execution** (noted as **CVSS 10.0** in the reporting) and that **CVE-2018-14634**, while older, remains relevant where legacy Linux kernels persist—underscoring that KEV additions can include long-standing flaws when exploitation is observed in the wild.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026
CISA Adds Actively Exploited Vulnerabilities to the Known Exploited Vulnerabilities Catalog
CISA updated its **Known Exploited Vulnerabilities (KEV) Catalog** after identifying evidence of **active exploitation in the wild**, reinforcing that organizations should prioritize remediation under **BOD 22-01** timelines (for FCEB agencies) and as a broader risk-reduction measure for all enterprises. One update added **CVE-2025-68613** affecting *n8n*, described as an **improper control of dynamically-managed code resources** issue, and CISA emphasized that KEV entries represent vulnerabilities being leveraged by threat actors. Separate KEV-related reporting described additional catalog additions tied to active exploitation, including **CVE-2026-1603** (*Ivanti Endpoint Manager*) described as an **authentication bypass** with potential exposure of credential data (fixed in *EPM 2024 SU5*), **CVE-2025-26399** (*SolarWinds Web Help Desk*) described as a **critical deserialization/RCE** issue in `AjaxProxy` (fixed in *WHD 12.8.7 HF1*), and **CVE-2021-22054** (*Omnissa/VMware Workspace ONE*) described as an **SSRF**. Additional coverage also highlighted CISA’s KEV addition of multiple **Apple** vulnerabilities—**CVE-2023-43000**, **CVE-2023-41974** (both **use-after-free**), and **CVE-2021-30952** (**integer overflow**)—impacting macOS/iOS/iPadOS and related platforms, with exploitation reported as active and patching urged to reduce risk of arbitrary code execution and elevated privileges.
May 27, 2026