CISA Updates Known Exploited Vulnerabilities Catalog With New Entries Including Dell RecoverPoint Hard-Coded Credentials
CISA updated its Known Exploited Vulnerabilities (KEV) Catalog with additional vulnerabilities confirmed as exploited in the wild, reinforcing patch/mitigation urgency under BOD 22-01 timelines. The KEV print catalog shows the addition of CVE-2026-22769 affecting Dell RecoverPoint for Virtual Machines (RP4VMs), described as a use of hard-coded credentials issue that could allow an unauthenticated remote attacker to gain unauthorized access to the underlying OS and establish root-level persistence; CISA’s entry points to Dell advisories/remediation guidance and third-party reporting on active exploitation.
A corresponding update to CISA’s public kev-data repository reflects the routine publication of refreshed KEV data files and includes multiple KEV rows (e.g., CVE-2024-7694 in TeamT5 ThreatSonar Anti-Ransomware for unrestricted file upload leading to command execution with admin privileges on the platform, and legacy items such as CVE-2008-0015 in Microsoft Windows Video ActiveX Control). The KEV print view also lists other exploited items such as CVE-2021-22175 in GitLab (SSRF when internal-network webhook requests are enabled), underscoring that the catalog update spans multiple vendors and vulnerability classes and should be treated as an operational patching priority.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
CISA publishes updated KEV data files with newly tracked exploited CVEs
A cisagov/kev-data GitHub commit published updated KEV files containing the same set of known exploited vulnerabilities and associated remediation deadlines and references. This represents the public data-file update corresponding to the catalog changes.
CISA adds multiple vulnerabilities to the KEV catalog
CISA's Known Exploited Vulnerabilities catalog reflects multiple vulnerabilities as known exploited, including BeyondTrust Remote Support/PRA CVE-2026-1731, Apple CVE-2026-20700, Chromium CVE-2026-2441, Microsoft Configuration Manager CVE-2024-43468, TeamT5 ThreatSonar Anti-Ransomware CVE-2024-7694, Notepad++ CVE-2025-15556, and Windows Video ActiveX CVE-2008-0015. The catalog entry indicates these flaws were formally tracked by CISA for federal remediation.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds GitLab SSRF and Dell RP4VM Hard-coded Credentials to KEV Catalog
CISA added **two actively exploited vulnerabilities** to its Known Exploited Vulnerabilities (KEV) Catalog: **CVE-2021-22175** (a **GitLab** server-side request forgery (SSRF) issue related to enabling internal-network requests for webhooks) and **CVE-2026-22769** (a **Dell RecoverPoint for Virtual Machines (RP4VMs)** vulnerability involving **hard-coded credentials** that can enable unauthenticated access to the underlying OS and **root-level persistence**). Under **BOD 22-01**, Federal Civilian Executive Branch (FCEB) agencies are required to remediate by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation of KEV-listed issues as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (catalog count increasing from **1522** to **1524**) and to include the new entries with their remediation deadlines (GitLab due **2026-03-11**; Dell RP4VMs due **2026-02-21**). Separate commentary and guidance from industry media emphasized using KEV as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability and impact context (e.g., access prerequisites, remote control potential) and combine KEV with other signals such as **CVSS**, **EPSS**, and exploit/tooling intelligence to drive patch sequencing.
Mar 21, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026
CISA KEV updates and active exploitation alerts highlight shifting vulnerability risk
CISA’s *Known Exploited Vulnerabilities (KEV) Catalog* continued to expand with newly confirmed in-the-wild exploitation, including the addition of **four CVEs**: `CVE-2019-19006` (Sangoma FreePBX improper authentication), `CVE-2021-39935` (GitLab CE/EE SSRF), `CVE-2025-40551` (SolarWinds Web Help Desk deserialization of untrusted data), and `CVE-2025-64328` (Sangoma FreePBX OS command injection). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch agencies are required to remediate KEV-listed vulnerabilities by CISA’s due dates, and CISA urged non-federal organizations to use KEV as a prioritization input because these flaws are common initial access vectors. Separate reporting highlighted concerns about how CISA communicates changes to KEV metadata tied to ransomware risk: GreyNoise reported that across **59 instances in 2025**, CISA updated KEV entries to reflect **ransomware-associated exploitation** without proactively notifying defenders when the “known ransomware use” flag changed from *Unknown* to *Known*, which can materially affect patch prioritization. In parallel, third-party coverage described a CISA high-priority alert for a **critical KiloView Encoder Series** issue, `CVE-2026-1453` (CVSS **9.8**), caused by **missing authentication for critical functions** that could allow unauthenticated attackers to create/delete administrator accounts and gain full administrative control—posing disruption and lateral-movement risk in broadcast/production networks.
Mar 21, 2026