CISA Expands KEV Catalog With Broad Wave of Actively Exploited Enterprise Flaws
CISA repeatedly expanded its Known Exploited Vulnerabilities (KEV) Catalog after confirming active exploitation across a wide range of products, including Apple platforms, Ivanti EPM and EPMM, SolarWinds Web Help Desk, Omnissa Workspace ONE, n8n, Google Chromium and Skia, Wing FTP Server, Zimbra, Cisco firewall management products, Langflow, Aqua Security Trivy, F5 BIG-IP, Fortinet FortiClient EMS, Microsoft Exchange, SharePoint, Windows, Defender, Adobe Acrobat/Reader, Apache ActiveMQ, Trend Micro Apex One, Palo Alto PAN-OS, and other enterprise software. Several entries were especially notable because they involved remote code execution, code injection, deserialization, authentication bypass, privilege escalation, and supply-chain-style malicious code risks, while CISA also highlighted active exploitation of older legacy Microsoft and Adobe flaws that remain dangerous on unpatched or end-of-life systems.
Reporting tied some of the newly listed issues to concrete attack activity and elevated operational risk. Apple flaws added to KEV were reported as exploitable through malicious web content or apps and could lead to arbitrary code execution or kernel-level execution, while the critical Langflow bug CVE-2025-34291 was described as enabling session hijacking, token theft, persistence, and possible full system compromise in AI workflow deployments; separate reporting said the Iranian threat actor MuddyWater used it for initial access. Trend Micro said it observed at least one attempted in-the-wild exploitation of its Apex One flaw, and coverage of Ivanti vulnerabilities warned that defenders should not rely solely on shared indicators of compromise. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies were ordered to remediate each KEV-listed flaw by assigned deadlines, and CISA urged all organizations to apply vendor fixes or mitigations immediately and discontinue affected products if no mitigation is available.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
30 events from the most recent confirmed update back to the earliest known activity.
CISA adds Arista, Google, and Cisco flaws to KEV catalog
On June 9, 2026, CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-7473 in Arista Extensible Operating System, CVE-2026-11645 in Google Chromium V8, and CVE-2026-20245 in Cisco Catalyst SD-WAN Manager. CISA said the additions were based on evidence of active exploitation and urged organizations to prioritize remediation.
CISA adds PAN-OS flaw CVE-2026-0257 to KEV
On May 29, 2026, CISA added CVE-2026-0257, an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS, to the KEV catalog based on evidence of active exploitation.
CISA adds LiteSpeed cPanel Plugin flaw CVE-2026-48172 to KEV
On May 26, 2026, CISA added CVE-2026-48172, a LiteSpeed cPanel Plugin privilege escalation vulnerability, to the KEV catalog after determining there was evidence of active exploitation.
Ctrl-Alt-Intel reports MuddyWater exploited Langflow flaw
In March 2026, Ctrl-Alt-Intel reported that the Iranian threat actor MuddyWater exploited Langflow vulnerability CVE-2025-34291 for initial access. This linked a specific threat actor to real-world exploitation of the flaw later added to CISA's KEV catalog.
CISA adds Langflow and Trend Micro Apex One flaws to KEV
On May 21, 2026, CISA added CVE-2025-34291, a Langflow origin validation error vulnerability, and CVE-2026-34926, a Trend Micro Apex One on-premise directory traversal vulnerability, to the KEV catalog after determining there was evidence of active exploitation. Multiple reports noted the Langflow flaw could enable session hijacking, token theft, and potentially arbitrary code execution, while Trend Micro said it had observed at least one attempted in-the-wild exploitation of the Apex One issue.
CISA adds seven Microsoft and Adobe vulnerabilities to KEV
On May 20, 2026, CISA added seven actively exploited vulnerabilities affecting Microsoft Windows, Microsoft DirectX, Adobe Acrobat and Reader, Microsoft Internet Explorer, and Microsoft Defender to the KEV catalog. The set included legacy flaws from 2008 through 2010 as well as two 2026 Microsoft Defender vulnerabilities.
CISA adds Microsoft Exchange flaw CVE-2026-42897 to KEV
On May 15, 2026, CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability, to the KEV catalog based on evidence of active exploitation.
CISA adds LiteLLM SQL injection flaw CVE-2026-42208 to KEV
On May 8, 2026, CISA added CVE-2026-42208, a SQL injection vulnerability affecting BerriAI LiteLLM, to the KEV catalog after determining there was evidence of active exploitation.
CISA adds Ivanti EPMM flaw CVE-2026-6973 to KEV
On May 7, 2026, CISA added CVE-2026-6973, an improper input validation vulnerability affecting Ivanti Endpoint Manager Mobile, to the KEV catalog based on active exploitation.
CISA adds Linux Kernel flaw CVE-2026-31431 to KEV
On May 1, 2026, CISA added CVE-2026-31431, a Linux Kernel incorrect resource transfer between spheres vulnerability, to the KEV catalog after obtaining evidence of active exploitation.
CISA adds four vulnerabilities affecting Samsung, SimpleHelp, and D-Link
On April 24, 2026, CISA added four vulnerabilities affecting Samsung MagicINFO 9 Server, SimpleHelp, and the D-Link DIR-823X to the KEV catalog. The flaws included path traversal, missing authorization, and command injection issues under active exploitation.
CISA adds Marimo flaw CVE-2026-39987 to KEV
On April 23, 2026, CISA added CVE-2026-39987, a Marimo remote code execution vulnerability, to the KEV catalog based on evidence of active exploitation.
CISA adds Microsoft Defender flaw CVE-2026-33825 to KEV
On April 22, 2026, CISA added CVE-2026-33825, a Microsoft Defender insufficient granularity of access control vulnerability, to the KEV catalog after determining there was evidence of active exploitation.
CISA adds eight exploited vulnerabilities across six products to KEV
On April 20, 2026, CISA added eight vulnerabilities affecting PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager to the KEV catalog. CISA said the additions were based on evidence of active exploitation.
CISA adds Apache ActiveMQ flaw CVE-2026-34197 to KEV
On April 16, 2026, CISA added CVE-2026-34197, an Apache ActiveMQ improper input validation vulnerability, to the KEV catalog after determining there was evidence of active exploitation.
CISA adds Microsoft Office and SharePoint flaws to KEV
On April 14, 2026, CISA added CVE-2009-0238, a Microsoft Office remote code execution flaw, and CVE-2026-32201, a Microsoft SharePoint Server improper input validation vulnerability, to the KEV catalog.
CISA adds seven exploited vulnerabilities across Microsoft, Adobe, and Fortinet
On April 13, 2026, CISA added seven new vulnerabilities to the KEV catalog affecting Microsoft Visual Basic for Applications, Adobe Acrobat, Microsoft Exchange Server, Microsoft Windows, Fortinet products, and Adobe Acrobat and Reader. The agency said all seven had evidence of active exploitation.
CISA adds Ivanti EPMM flaw CVE-2026-1340 to KEV
On April 8, 2026, CISA added CVE-2026-1340, a code injection vulnerability affecting Ivanti Endpoint Manager Mobile, to the KEV catalog after determining there was evidence of active exploitation.
CISA adds Fortinet FortiClient EMS flaw CVE-2026-35616 to KEV
On April 6, 2026, CISA added CVE-2026-35616, an improper access control vulnerability affecting Fortinet FortiClient EMS, to the KEV catalog based on active exploitation.
CISA adds Google Dawn flaw CVE-2026-5281 to KEV
On April 1, 2026, CISA added CVE-2026-5281, a Google Dawn use-after-free vulnerability, to the KEV catalog after determining there was evidence of active exploitation.
CISA adds F5 BIG-IP flaw CVE-2025-53521 to KEV
On March 27, 2026, CISA added CVE-2025-53521, an F5 BIG-IP remote code execution vulnerability, to the KEV catalog after obtaining evidence of active exploitation.
CISA adds Aqua Security Trivy flaw CVE-2026-33634 to KEV
On March 26, 2026, CISA added CVE-2026-33634, identified as an Aqua Security Trivy Embedded Malicious Code vulnerability, to the KEV catalog based on active exploitation evidence.
CISA adds Langflow code injection flaw CVE-2026-33017 to KEV
On March 25, 2026, CISA added CVE-2026-33017, a Langflow code injection vulnerability, to the KEV catalog after obtaining evidence of active exploitation.
CISA adds Cisco firewall management flaw CVE-2026-20131 to KEV
On March 19, 2026, CISA added CVE-2026-20131 affecting Cisco Secure Firewall Management Center and Cisco Security Cloud Control Firewall Management to the KEV catalog. The flaw was described as a deserialization of untrusted data issue under active exploitation.
CISA adds Synacor Zimbra flaw CVE-2025-66376 to KEV
On March 18, 2026, CISA added CVE-2025-66376, a cross-site scripting vulnerability affecting Synacor Zimbra Collaboration Suite, to the KEV catalog based on active exploitation.
CISA adds Wing FTP Server flaw CVE-2025-47813 to KEV
On March 16, 2026, CISA added CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server, to the KEV catalog after evidence of active exploitation emerged.
CISA adds two Google vulnerabilities to KEV
On March 13, 2026, CISA added CVE-2026-3909, a Google Skia out-of-bounds write flaw, and CVE-2026-3910, a Google Chromium V8 vulnerability, to the KEV catalog. The agency said both were being actively exploited.
CISA adds n8n vulnerability CVE-2025-68613 to KEV
On March 11, 2026, CISA added CVE-2025-68613 affecting n8n to its Known Exploited Vulnerabilities catalog after finding evidence of active exploitation. CISA described it as an improper control of dynamically managed code resources issue.
CISA adds Ivanti, SolarWinds, and Omnissa flaws to KEV catalog
On March 9, 2026, CISA added CVE-2026-1603 in Ivanti Endpoint Manager, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2021-22054 in Omnissa Workspace ONE to the KEV catalog based on active exploitation. The listed issues included authentication bypass, deserialization-based remote code execution, and server-side request forgery.
CISA adds three Apple vulnerabilities to KEV catalog
On March 5, 2026, CISA added three actively exploited Apple vulnerabilities affecting macOS, iOS, iPadOS, Safari, and related platforms to its Known Exploited Vulnerabilities catalog. The flaws included two use-after-free issues and one integer overflow issue that could lead to memory corruption, arbitrary code execution, or kernel-privileged code execution.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
37 references tracked. Mallory keeps watching after this page renders.
CISA Adds Three Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceCISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog
cybersecuritynews.com
Open sourceCISA Adds Two Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceCISA KEV Catalog Update - March 9 2026 - TheCyberThrone
thecyberthrone.in
Open sourceCISA Warns of macOS and iOS Vulnerabilities Exploited in Attacks
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses. Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor **Storm-1175** used `CVE-2023-21529` to deliver **Medusa ransomware**, while `CVE-2023-27351` has been linked to **Lace Tempest** deployments of **Cl0p** and **LockBit**. Defused Cyber also reported exploitation attempts against `CVE-2026-21643`, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
Apr 29, 2026
CISA Adds Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti EPM Flaws to KEV Catalog
CISA added three vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2021-22054** (Omnissa *Workspace ONE UEM* / formerly VMware Workspace ONE UEM, **SSRF**), **CVE-2025-26399** (SolarWinds *Web Help Desk*, **deserialization of untrusted data** in `AjaxProxy` enabling command execution), and **CVE-2026-1603** (Ivanti *Endpoint Manager (EPM)*, **authentication bypass**). CISA reiterated that KEV-listed issues are common intrusion vectors and that Federal Civilian Executive Branch (FCEB) agencies must remediate per **BOD 22-01** deadlines, while strongly urging all organizations to prioritize patching/mitigation of KEV entries as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the 2026-03-09 catalog release, increasing the catalog count and adding records for the newly listed CVEs, including short descriptions, required actions, and remediation due dates (e.g., **2026-03-23** for CVE-2021-22054 and **2026-03-12** for CVE-2025-26399). Separate reporting about CISA warning on exploited **Apple** vulnerabilities (macOS/iOS/iPadOS/Safari) describes a different set of CVEs and does not align with the KEV additions in this alert.
Mar 23, 2026
CISA Adds Multiple Actively Exploited Vulnerabilities to KEV Catalog
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog by adding seven high-impact vulnerabilities that are currently being exploited in the wild. This update includes critical flaws affecting Oracle E-Business Suite, Mozilla Firefox, Thunderbird, SeaMonkey, Microsoft Windows, Microsoft Internet Explorer, the Linux Kernel, and Microsoft Windows privilege escalation mechanisms. Among the most severe is CVE-2025-61882, a remotely exploitable vulnerability in Oracle E-Business Suite’s BI Publisher Integration, which allows unauthenticated attackers to compromise the Oracle Concurrent Processing component via HTTP. This flaw, rated CVSS 9.8, has been actively exploited in ransomware campaigns, notably by the Cl0p ransomware group, leading to data theft and potential remote code execution. Oracle responded by releasing an emergency patch for affected versions 12.2.3 through 12.2.14, and organizations are urged to apply this fix immediately and monitor for suspicious HTTP traffic targeting BI Publisher endpoints. Another addition, CVE-2010-3765, is a memory corruption vulnerability in Mozilla products, including Firefox, Thunderbird, and SeaMonkey, which can be exploited via JavaScript to execute arbitrary code. This flaw has been leveraged by the "Belmoo" malware in real-world attacks. Microsoft vulnerabilities added to the catalog include CVE-2011-3402, a TrueType font parsing flaw in the Windows kernel (win32k.sys) that enables remote code execution through malicious font files, and CVE-2010-3962, an uninitialized memory corruption issue in Internet Explorer. CVE-2013-3918, another Microsoft Windows vulnerability, was originally used in the 2009 Aurora attack and later repurposed by the EQUATION group to target government users in Afghanistan. The Linux Kernel vulnerability CVE-2021-22555, a heap out-of-bounds write, and CVE-2021-43226, a Windows privilege escalation flaw, are also included due to their active exploitation and potential for significant impact. CISA’s KEV catalog serves as a critical resource for organizations, highlighting vulnerabilities that require urgent attention due to their exploitation in real-world attacks. Federal agencies are mandated to address these vulnerabilities within a defined timeframe under Binding Operational Directive (BOD) 22-01. The inclusion of both recent and older vulnerabilities underscores the persistent risk posed by unpatched systems, as threat actors continue to exploit legacy flaws alongside newly discovered ones. Security experts emphasize the importance of immediate patching, robust monitoring, and comprehensive vulnerability management to mitigate the risks associated with these actively exploited vulnerabilities. The update reflects ongoing efforts by CISA to enhance the security posture of federal and enterprise environments by ensuring that known exploited vulnerabilities are promptly addressed. Organizations are advised to review the KEV catalog regularly, prioritize remediation of listed vulnerabilities, and implement additional security controls where patching is not immediately feasible. The addition of these vulnerabilities highlights the evolving threat landscape and the need for continuous vigilance against both new and longstanding security weaknesses. CISA’s proactive approach aims to reduce the attack surface and limit the opportunities for threat actors to compromise critical infrastructure. The agency’s guidance is particularly relevant for entities operating Oracle E-Business Suite, Microsoft products, and Linux systems, given the active exploitation of these platforms. The KEV catalog update serves as a call to action for all organizations to assess their exposure and take decisive steps to protect their assets from ongoing cyber threats.
Mar 21, 2026