CISA added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that BOD 22-01 requires fixes by mandated due dates. The newly added KEVs are CVE-2017-7921 (Hikvision improper authentication), CVE-2021-22681 (Rockwell insufficiently protected credentials), and three Apple issues: CVE-2021-30952 (integer overflow/wraparound), CVE-2023-41974 (iOS/iPadOS use-after-free), and CVE-2023-43000 (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations.
CISA’s public kev-data repository reflects the same update, increasing the catalog count from 1531 to 1536 and recording a remediation due date of 2026-03-26 for at least CVE-2017-7921 (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
8 events from the most recent confirmed update back to the earliest known activity.
A ProjectDiscovery pull request added Nuclei detection templates for five CISA KEV-listed vulnerabilities affecting Fortinet FortiOS, SonicWall SonicOS, SonicWall SMA 1000, and Qlik Sense Enterprise. The reference says the flaws are actively exploited, including by ransomware groups such as Akira, Fog, and Cactus, and that the templates are detection-only without exploit payloads.
Researchers from Google Threat Intelligence Group, iVerify, and Lookout reported that the three Apple vulnerabilities added by CISA to KEV on March 20, 2026 were linked to the DarkSword iOS exploit kit used to deliver malware. The same reporting also tied the Craft CMS flaw to in-the-wild exploitation documented by Orange Cyberdefense and associated the Laravel Livewire flaw with attacks by the Iran-linked MuddyWater APT group.
Following the March 20, 2026 addition of five Apple, Craft CMS, and Laravel Livewire vulnerabilities to the KEV catalog, CISA required Federal Civilian Executive Branch agencies to remediate them by April 3, 2026 under BOD 22-01. The action formalized the federal response to the newly listed actively exploited flaws.
On March 20, 2026, CISA announced another KEV catalog expansion, adding five newly exploited vulnerabilities affecting Apple multiple products, Craft CMS, and Laravel Livewire. The listed issues included buffer overflow, improper locking, and code injection flaws.
Google Threat Intelligence Group attributed exploitation of some Apple vulnerabilities later added to CISA's KEV catalog to the Coruna (aka CryptoWaters) iOS exploit kit. GTIG said the kit targeted iPhones running iOS 13.0 through 17.2.1 and was used first in targeted campaigns and later more broadly by multiple tracked clusters.
Under Binding Operational Directive 22-01, CISA required Federal Civilian Executive Branch agencies to remediate the five vulnerabilities added on March 5 by March 26, 2026. CISA also urged non-federal organizations to prioritize remediation of the newly listed KEV items.
CISA's KEV data repository was updated from catalog version 2026.03.04 to 2026.03.05, increasing the total number of listed vulnerabilities from 1,531 to 1,536. The update reflected the five newly added Apple, Hikvision, and Rockwell entries.
On March 5, 2026, CISA added five actively exploited vulnerabilities affecting Apple products, Hikvision IP cameras, and Rockwell Automation products to its Known Exploited Vulnerabilities catalog. The additions included improper authentication, insufficiently protected credentials, integer overflow, and use-after-free issues.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
13 references tracked. Mallory keeps watching after this page renders.
github.com
Open sourcegithub.com
Open sourcegithub.com
Open sourcesecurityaffairs.com
Open sourcethecyberthrone.in
Open sourcecisa.gov
Open sourcegithub.com
Open sourcegithub.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.