CISA KEV Adds Exploited Flaws in Microsoft Excel, SharePoint, and Apache ActiveMQ
CISA updated its Known Exploited Vulnerabilities catalog to add three newly listed flaws affecting Microsoft Office Excel, Microsoft SharePoint Server, and Apache ActiveMQ. The additions increased the catalog total from 1,566 to 1,569 entries across two updates, with CISA identifying CVE-2009-0238 as a remote code execution vulnerability in Excel, CVE-2026-32201 as an improper input validation spoofing issue in SharePoint Server, and CVE-2026-34197 as an improper input validation flaw in ActiveMQ that can enable code injection.
CISA assigned federal remediation deadlines of 2026-04-28 for the Excel and SharePoint entries and 2026-04-30 for the ActiveMQ entry. The catalog records indicate that known ransomware use is unknown for all three vulnerabilities, while the ActiveMQ listing references both an Apache security advisory and the NVD entry, underscoring active exploitation concerns for widely deployed enterprise software and messaging infrastructure.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA adds Apache ActiveMQ flaw to KEV catalog
CISA updated its Known Exploited Vulnerabilities Catalog to version 2026.04.16, increasing the total listed vulnerabilities from 1,568 to 1,569. The update added CVE-2026-34197, an Apache ActiveMQ improper input validation vulnerability allowing code injection, with a remediation due date of 2026-04-30.
CISA adds Excel and SharePoint flaws to KEV catalog
CISA updated its Known Exploited Vulnerabilities Catalog to version 2026.04.14, increasing the total listed vulnerabilities from 1,566 to 1,568. The update added CVE-2009-0238 affecting Microsoft Office Excel and CVE-2026-32201 affecting Microsoft SharePoint Server, both with remediation due dates of 2026-04-28.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Actively Exploited Microsoft SharePoint RCE to KEV Catalog
**CISA** added **CVE-2026-20963**, a **Microsoft SharePoint** deserialization flaw, to its **Known Exploited Vulnerabilities (KEV)** catalog after confirming active exploitation in the wild. The vulnerability allows an **unauthorized remote attacker** to execute arbitrary code over the network by sending crafted serialized data that SharePoint improperly deserializes, creating a **pre-authentication remote code execution** path. Reporting indicates the specific threat actors behind the attacks have not been publicly identified, but the flaw affects a widely deployed enterprise collaboration platform that often stores sensitive internal documents and communications. The KEV entry triggered urgent remediation requirements, including a **March 21, 2026** deadline for **FCEB agencies** under **Binding Operational Directive 22-01**. Additional reporting notes that the same KEV update also included vulnerabilities in **Wing FTP Server** and **Synacor Zimbra Collaboration Suite**, but the SharePoint issue stands out because of its likely value for **initial access brokers** and **ransomware affiliates** seeking enterprise footholds. Organizations using SharePoint should treat internet-exposed systems as high priority for patching and review for signs of compromise given confirmed in-the-wild exploitation.
Mar 26, 2026
CISA Adds Microsoft SharePoint and Zimbra Vulnerabilities to KEV Catalog
**CISA** added two newly tracked flaws to its **Known Exploited Vulnerabilities (KEV)** catalog: **CVE-2026-20963** in **Microsoft SharePoint** and **CVE-2025-66376** in **Synacor Zimbra Collaboration Suite**. The SharePoint issue is a deserialization of untrusted data vulnerability, mapped to `CWE-502`, that can allow code execution over the network; CISA’s KEV entry describes it as enabling an unauthorized attacker to execute code remotely. The Zimbra issue is a stored cross-site scripting flaw in the Classic UI, mapped to `CWE-79`, in which attackers can abuse CSS `@import` directives in email HTML. CISA’s KEV update requires federal civilian executive branch agencies to remediate the SharePoint flaw by **2026-03-21** and the Zimbra flaw by **2026-04-01**, or follow applicable mitigation guidance under **BOD 22-01**. The GitHub KEV data commit confirms both additions and records the required actions as applying vendor mitigations, following cloud-service guidance where relevant, or discontinuing use if mitigations are unavailable. The reporting also notes that, while the KEV catalog is binding on federal agencies, private organizations should review the catalog and prioritize these vulnerabilities because CISA has identified them as actively exploited.
Mar 22, 2026
CISA Expands KEV Catalog With Actively Exploited Enterprise Software Flaws
CISA added 14 vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog across two updates, citing evidence of active exploitation against widely used enterprise products from Fortinet, Microsoft, Adobe, Cisco, JetBrains, PaperCut, Kentico, Quest, and Zimbra. The newly listed flaws include issues in FortiClient EMS, Adobe Acrobat Reader, Microsoft Windows Common Log File System Driver, Microsoft Exchange Server, Host Process for Windows Tasks, Microsoft Visual Basic for Applications, JetBrains TeamCity, PaperCut NG/MF, Kentico Xperience, Quest KACE SMA, Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager, including privilege escalation, credential exposure, sensitive information disclosure, and cross-site scripting weaknesses. Reporting tied several of the vulnerabilities to real-world intrusion activity and ransomware operations. Microsoft said threat actor **Storm-1175** used `CVE-2023-21529` to deliver **Medusa ransomware**, while `CVE-2023-27351` has been linked to **Lace Tempest** deployments of **Cl0p** and **LockBit**. Defused Cyber also reported exploitation attempts against `CVE-2026-21643`, and CISA said federal civilian agencies must remediate the newly added flaws on deadlines running from late April into May 2026 under Binding Operational Directive requirements, while private-sector defenders were urged to prioritize the KEV entries for patching and exposure reduction.
Apr 29, 2026