CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses.
Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor Storm-1175 used CVE-2023-21529 to deliver Medusa ransomware, while CVE-2023-27351 has been linked to Lace Tempest deployments of Cl0p and LockBit. Defused Cyber also reported exploitation attempts against CVE-2026-21643, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
CISA adds ScreenConnect and Windows flaws to the KEV catalog
On April 29, 2026, CISA added CVE-2024-1708 in ConnectWise ScreenConnect and CVE-2026-32202 in Microsoft Windows to its Known Exploited Vulnerabilities catalog after confirming active exploitation. The update signaled ongoing risk from unpatched self-hosted ScreenConnect systems and required federal agencies to remediate under Binding Operational Directive 22-01 timelines.
CISA adds eight more actively exploited flaws to the KEV catalog
On April 21, 2026, CISA expanded the KEV catalog with eight additional vulnerabilities affecting PaperCut, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager. The agency set remediation deadlines spanning April to May 2026 for federal agencies and urged private organizations to prioritize patching.
CISA adds six exploited flaws to the KEV catalog
On April 14, 2026, CISA added six vulnerabilities affecting Fortinet, Adobe, and Microsoft products to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. Federal Civilian Executive Branch agencies were ordered to remediate the listed flaws by April 27, 2026.
Storm-1175 uses CVE-2023-21529 to deliver Medusa ransomware
Microsoft said threat actor Storm-1175 exploited CVE-2023-21529 in Microsoft Exchange Server to deliver Medusa ransomware. This attribution was cited when CISA later added the flaw to the KEV catalog.
Exploitation attempts against CVE-2026-21643 observed
Defused Cyber reported exploitation attempts targeting CVE-2026-21643 beginning on March 24, 2026. The activity affected Fortinet FortiClient EMS and contributed to later KEV catalog action.
Akamai links Windows exploit chain to APT28 attacks in Europe and Ukraine
Akamai said the exploit chain involving CVE-2026-21510 and CVE-2026-21513, with CVE-2026-32202 stemming from an incomplete patch, was used in APT28 attacks targeting Ukraine and E.U. countries. The activity was described as ongoing since December 2025, adding new attribution and technical context beyond CISA's KEV listing.
Lace Tempest linked to exploitation of PaperCut flaw CVE-2023-27351
CVE-2023-27351 in PaperCut NG/MF was previously associated with Lace Tempest activity deploying Cl0p and LockBit ransomware. The reference cites this prior criminal use as context for CISA's later KEV addition.
Microsoft acknowledges targeted attacks exploiting CVE-2012-1854
Microsoft previously said CVE-2012-1854 in Visual Basic for Applications had been used in limited targeted attacks. This establishes that the flaw was exploited in the wild long before its 2026 KEV inclusion.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
CISA Adds Actively Exploited ConnectWise and Windows Flaws to KEV
thehackernews.com
Open sourceCISA adds Two vulnerabilities to KEV catalog - TheCyberThrone
thecyberthrone.in
Open sourceU.S. CISA adds Cisco Catalyst, Kentico Xperience, PaperCut NG/MF, Synacor ZCS, Quest KACE SMA, and JetBrains TeamCity flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds 8 Flaws To KEV Catalog, Cisco Catalyst Included
thecyberexpress.com
Open sourceCISA flags another Cisco Catalyst SD-WAN Manager bug as exploited (CVE-2026-20133) - Help Net Security
helpnetsecurity.com
Open sourceCISA Adds Eight Actively Exploited Vulnerabilities to KEV Catalog - TheCyberThrone
thecyberthrone.in
Open sourceCISA Adds 6 Known Exploited Flaws in Fortinet, Microsoft, and Adobe Software
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Expands KEV Catalog With Broad Wave of Actively Exploited Enterprise Flaws
CISA repeatedly expanded its **Known Exploited Vulnerabilities (KEV) Catalog** after confirming active exploitation across a wide range of products, including Apple platforms, Ivanti EPM and EPMM, SolarWinds Web Help Desk, Omnissa Workspace ONE, n8n, Google Chromium and Skia, Wing FTP Server, Zimbra, Cisco firewall management products, Langflow, Aqua Security Trivy, F5 BIG-IP, Fortinet FortiClient EMS, Microsoft Exchange, SharePoint, Windows, Defender, Adobe Acrobat/Reader, Apache ActiveMQ, Trend Micro Apex One, Palo Alto PAN-OS, and other enterprise software. Several entries were especially notable because they involved **remote code execution, code injection, deserialization, authentication bypass, privilege escalation, and supply-chain-style malicious code risks**, while CISA also highlighted active exploitation of older legacy Microsoft and Adobe flaws that remain dangerous on unpatched or end-of-life systems. Reporting tied some of the newly listed issues to concrete attack activity and elevated operational risk. Apple flaws added to KEV were reported as exploitable through malicious web content or apps and could lead to arbitrary code execution or kernel-level execution, while the critical Langflow bug `CVE-2025-34291` was described as enabling session hijacking, token theft, persistence, and possible full system compromise in AI workflow deployments; separate reporting said the Iranian threat actor **MuddyWater** used it for initial access. Trend Micro said it observed at least one attempted in-the-wild exploitation of its Apex One flaw, and coverage of Ivanti vulnerabilities warned that defenders should not rely solely on shared indicators of compromise. Under **Binding Operational Directive 22-01**, Federal Civilian Executive Branch agencies were ordered to remediate each KEV-listed flaw by assigned deadlines, and CISA urged all organizations to apply vendor fixes or mitigations immediately and discontinue affected products if no mitigation is available.
Jun 16, 2026
CISA Adds Six Actively Exploited Vulnerabilities to KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) Catalog by adding six new vulnerabilities that are currently being exploited in the wild. This update includes five vulnerabilities announced on October 14, 2025, and one additional vulnerability added on October 15, 2025. The vulnerabilities affect a range of widely used products, including Microsoft Windows, Rapid7 Velociraptor, SKYSEA Client View, IGEL OS, and Adobe Experience Manager. Among the most critical is CVE-2025-24990, an elevation of privilege flaw in the Agere Modem driver bundled with all Windows releases, which allows local attackers to gain SYSTEM-level access through untrusted pointer dereference. Microsoft addressed this issue by removing the vulnerable driver in the October 2025 Patch Tuesday update, though this may impact dependent hardware. Another significant vulnerability is CVE-2025-54253, a code execution flaw in Adobe Experience Manager Forms, which has been confirmed as actively exploited and poses a substantial risk to federal and enterprise environments. The Rapid7 Velociraptor vulnerability (CVE-2025-6264) involves incorrect default permissions, potentially allowing unauthorized access or privilege escalation. SKYSEA Client View is affected by an improper authentication vulnerability (CVE-2016-7836), while IGEL OS faces a risk from the use of expired cryptographic keys (CVE-2025-47827). Additionally, Microsoft Windows is impacted by an improper access control vulnerability (CVE-2025-59230). CISA’s KEV Catalog serves as a critical resource for tracking vulnerabilities that are confirmed to be exploited in real-world attacks, and federal agencies are mandated under Binding Operational Directive (BOD) 22-01 to remediate these vulnerabilities by specified deadlines. CISA strongly encourages all organizations, not just federal agencies, to prioritize patching these vulnerabilities to reduce exposure to active cyber threats. The addition of these vulnerabilities underscores the ongoing risk posed by unpatched systems and the importance of timely remediation. CISA’s public alerts emphasize that these vulnerabilities are not theoretical and are being leveraged by malicious actors in current attack campaigns. The agency’s updates are based on evidence of active exploitation, highlighting the need for immediate action by security teams. Organizations are advised to consult the KEV Catalog regularly and integrate its findings into their vulnerability management processes. The removal of the Agere Modem driver by Microsoft demonstrates a decisive response to mitigate risk, though it may have operational impacts for some users. The inclusion of vulnerabilities across diverse platforms indicates that attackers are targeting a broad range of technologies. CISA’s ongoing updates to the KEV Catalog reflect its commitment to providing actionable intelligence to protect both federal and private sector networks. The agency’s guidance is clear: prompt remediation of known exploited vulnerabilities is essential to defend against active threats.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026