CISA Adds Actively Exploited Vulnerabilities to the Known Exploited Vulnerabilities Catalog
CISA updated its Known Exploited Vulnerabilities (KEV) Catalog after identifying evidence of active exploitation in the wild, reinforcing that organizations should prioritize remediation under BOD 22-01 timelines (for FCEB agencies) and as a broader risk-reduction measure for all enterprises. One update added CVE-2025-68613 affecting n8n, described as an improper control of dynamically-managed code resources issue, and CISA emphasized that KEV entries represent vulnerabilities being leveraged by threat actors.
Separate KEV-related reporting described additional catalog additions tied to active exploitation, including CVE-2026-1603 (Ivanti Endpoint Manager) described as an authentication bypass with potential exposure of credential data (fixed in EPM 2024 SU5), CVE-2025-26399 (SolarWinds Web Help Desk) described as a critical deserialization/RCE issue in AjaxProxy (fixed in WHD 12.8.7 HF1), and CVE-2021-22054 (Omnissa/VMware Workspace ONE) described as an SSRF. Additional coverage also highlighted CISA’s KEV addition of multiple Apple vulnerabilities—CVE-2023-43000, CVE-2023-41974 (both use-after-free), and CVE-2021-30952 (integer overflow)—impacting macOS/iOS/iPadOS and related platforms, with exploitation reported as active and patching urged to reduce risk of arbitrary code execution and elevated privileges.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
47 events from the most recent confirmed update back to the earliest known activity.
CISA adds SolarWinds Serv-U flaw CVE-2026-28318 to KEV
On 2026-06-05, CISA added CVE-2026-28318, an uncontrolled resource consumption vulnerability affecting SolarWinds Serv-U, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA said this vulnerability class is a frequent attack vector for malicious cyber actors and urged timely remediation under Binding Operational Directive 22-01.
CISA adds Mirasvit Full Page Cache Warmer flaw CVE-2026-45247 to KEV
On 2026-06-03, CISA added CVE-2026-45247, a deserialization of untrusted data vulnerability affecting Mirasvit Full Page Cache Warmer, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA said this vulnerability class is a common attack vector for malicious cyber actors and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds two known exploited vulnerabilities to KEV catalog
On 2026-06-02, CISA published an alert stating it added two vulnerabilities to its Known Exploited Vulnerabilities catalog. The provided reference does not include the substantive advisory details, so the specific CVEs, affected products, and remediation deadlines are not visible.
CISA adds Linux kernel and Android Framework flaws to KEV
On 2026-06-02, CISA added CVE-2022-0492 in the Linux kernel and CVE-2025-48595 in Android Framework to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CISA directed Federal Civilian Executive Branch agencies to remediate the flaws by 2026-06-05, and the reference notes Google addressed the Android issue in its June 2026 Android security patches.
CISA adds Oracle WebLogic flaw CVE-2024-21182 to KEV
On 2026-06-01, CISA added CVE-2024-21182, a vulnerability affecting Oracle WebLogic Server, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CISA said this vulnerability class is a frequent attack vector for malicious cyber actors and urged timely remediation under Binding Operational Directive 22-01.
CISA adds Palo Alto PAN-OS flaw CVE-2026-0257 to KEV
On 2026-05-29, CISA added CVE-2026-0257, an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said this vulnerability class is a common attack vector that poses significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds three new vulnerabilities to KEV catalog
On 2026-05-27, CISA added three vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2026-8398 in Daemon Tools Lite, CVE-2026-45321 in TanStack, and CVE-2026-48027 in Nx Console. CISA said the flaws were actively exploited and required remediation under Binding Operational Directive 22-01.
CISA adds LiteSpeed cPanel Plugin flaw CVE-2026-48172 to KEV
On 2026-05-26, CISA added CVE-2026-48172, a privilege escalation vulnerability affecting the LiteSpeed cPanel Plugin, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said this vulnerability class is a common attack vector that poses significant risk to the federal enterprise and urged timely remediation under Binding Operational Directive 22-01.
CISA adds Langflow and Trend Micro Apex One flaws to KEV
On 2026-05-21, CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2025-34291, a Langflow origin validation error vulnerability, and CVE-2026-34926, a Trend Micro Apex One (On-Premise) directory traversal vulnerability. CISA said both were actively exploited and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds seven new vulnerabilities to KEV catalog
On 2026-05-20, CISA added seven vulnerabilities affecting Microsoft Windows, Microsoft DirectX, Adobe Acrobat and Reader, Microsoft Internet Explorer, and Microsoft Defender to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaws, including legacy issues from 2008–2010 and two newer 2026 Microsoft Defender vulnerabilities, are common attack vectors that pose significant risk to the federal enterprise and require remediation under BOD 22-01.
CISA adds Microsoft Exchange Server flaw CVE-2026-42897 to KEV
On 2026-05-15, CISA added CVE-2026-42897, a Microsoft Exchange Server cross-site scripting vulnerability, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said this vulnerability class is a common attack vector that poses significant risk to the federal enterprise and urged timely remediation under BOD 22-01.
CISA adds BerriAI LiteLLM flaw CVE-2026-42208 to KEV
On 2026-05-08, CISA added CVE-2026-42208, a SQL injection vulnerability affecting BerriAI LiteLLM, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said this vulnerability class is a common attack vector that poses significant risk to the federal enterprise and urged timely remediation under BOD 22-01.
CISA adds Ivanti EPMM flaw CVE-2026-6973 to KEV
On 2026-05-07, CISA added CVE-2026-6973, an improper input validation vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under Binding Operational Directive 22-01.
CISA adds Linux Kernel flaw CVE-2026-31431 to KEV
On 2026-05-01, CISA added CVE-2026-31431, an incorrect resource transfer between spheres vulnerability in the Linux Kernel, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said vulnerabilities of this type are frequently used by malicious cyber actors, pose significant risk to the federal enterprise, and should be prioritized for remediation under BOD 22-01.
CISA adds four new vulnerabilities to KEV catalog
On 2026-04-24, CISA added four vulnerabilities affecting Samsung MagicINFO 9 Server, SimpleHelp, and the D-Link DIR-823X to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the path traversal, missing authorization, and command injection flaws are common attack vectors that pose significant risk to the federal enterprise and urged timely remediation under BOD 22-01.
CISA adds Marimo flaw CVE-2026-39987 to KEV
On 2026-04-23, CISA added CVE-2026-39987, a remote code execution vulnerability affecting Marimo, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under Binding Operational Directive 22-01.
CISA adds Microsoft Defender flaw CVE-2026-33825 to KEV
On 2026-04-22, CISA added CVE-2026-33825, an insufficient granularity of access control vulnerability affecting Microsoft Defender, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under Binding Operational Directive 22-01.
CISA adds eight new vulnerabilities to KEV catalog
On 2026-04-20, CISA added eight vulnerabilities affecting PaperCut NG/MF, JetBrains TeamCity, Kentico Xperience, Quest KACE SMA, Synacor Zimbra Collaboration Suite, and Cisco Catalyst SD-WAN Manager to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaws are common attack vectors that pose significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
CISA adds Apache ActiveMQ flaw CVE-2026-34197 to KEV
On 2026-04-16, CISA added CVE-2026-34197, an improper input validation vulnerability affecting Apache ActiveMQ, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged timely remediation under BOD 22-01.
CISA adds Microsoft Office and SharePoint flaws to KEV
On 2026-04-14, CISA added two vulnerabilities to its Known Exploited Vulnerabilities catalog: CVE-2009-0238, a Microsoft Office remote code execution flaw, and CVE-2026-32201, an improper input validation vulnerability in Microsoft SharePoint Server. CISA said both were actively exploited and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds seven new vulnerabilities to KEV catalog
On 2026-04-13, CISA added seven vulnerabilities affecting Microsoft Visual Basic for Applications, Adobe Acrobat, Microsoft Exchange Server, Microsoft Windows, Fortinet products, and Adobe Acrobat and Reader to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaws are common attack vectors that pose significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
CISA adds Ivanti EPMM flaw CVE-2026-1340 to KEV
On 2026-04-08, CISA added CVE-2026-1340, a code injection vulnerability affecting Ivanti Endpoint Manager Mobile (EPMM), to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw presents significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
CISA adds Fortinet FortiClient EMS flaw CVE-2026-35616 to KEV
On 2026-04-06, CISA added CVE-2026-35616, an improper access control vulnerability affecting Fortinet FortiClient EMS, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw presents significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
CISA adds Google Dawn flaw CVE-2026-5281 to KEV
On 2026-04-01, CISA added CVE-2026-5281, a Google Dawn use-after-free vulnerability, to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
CISA adds F5 BIG-IP flaw CVE-2025-53521 to KEV
On 2026-03-27, CISA added CVE-2025-53521, a remote code execution vulnerability affecting F5 BIG-IP, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA warned the flaw poses significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds Aqua Security Trivy flaw CVE-2026-33634 to KEV
On 2026-03-26, CISA added CVE-2026-33634, an Aqua Security Trivy Embedded Malicious Code vulnerability, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA said the flaw is a frequent attack vector that poses significant risk to the federal enterprise and urged prioritized remediation.
CISA adds Langflow code injection flaw CVE-2026-33017 to KEV
On 2026-03-25, CISA added CVE-2026-33017, a code injection vulnerability affecting Langflow, to its Known Exploited Vulnerabilities catalog after obtaining evidence of active exploitation. CISA said the flaw poses significant risk to the federal enterprise and urged prioritized remediation under BOD 22-01.
CISA adds Cisco firewall management flaw CVE-2026-20131 to KEV
On 2026-03-19, CISA added CVE-2026-20131, a deserialization of untrusted data vulnerability affecting Cisco Secure Firewall Management Center and Cisco Security Cloud Control Firewall Management, to the KEV catalog. CISA said the flaw was under active exploitation and posed significant risk to the federal enterprise.
CISA adds Synacor Zimbra XSS flaw CVE-2025-66376 to KEV
On 2026-03-18, CISA added CVE-2025-66376, a cross-site scripting vulnerability affecting Synacor Zimbra Collaboration Suite, to the KEV catalog. The agency said the flaw was actively exploited and should be prioritized for remediation.
CISA adds Wing FTP Server vulnerability CVE-2025-47813 to KEV
On 2026-03-16, CISA added CVE-2025-47813, an information disclosure vulnerability in Wing FTP Server, to the KEV catalog after evidence of active exploitation emerged. CISA warned that the issue presented significant risk to federal agencies and urged timely patching.
CISA adds Google Skia and Chromium V8 flaws to KEV
On 2026-03-13, CISA added CVE-2026-3909, a Google Skia out-of-bounds write vulnerability, and CVE-2026-3910, a Google Chromium V8 vulnerability, to the KEV catalog. The agency said both were being actively exploited and required prompt remediation.
CISA adds n8n vulnerability CVE-2025-68613 to KEV
On 2026-03-11, CISA added CVE-2025-68613, an improper control of dynamically managed code resources vulnerability affecting n8n, to the KEV catalog after evidence of active exploitation. CISA said the flaw posed significant risk to the federal enterprise and required remediation under BOD 22-01.
CISA adds Ivanti, SolarWinds, and Omnissa flaws to KEV catalog
By 2026-03-09, CISA had added three vulnerabilities to the KEV catalog based on active exploitation evidence: CVE-2026-1603 in Ivanti Endpoint Manager, CVE-2025-26399 in SolarWinds Web Help Desk, and CVE-2021-22054 in Omnissa Workspace ONE. The listed issues included authentication bypass, unauthenticated remote code execution, and SSRF risks.
CISA adds three Apple vulnerabilities to KEV catalog
On 2026-03-05, CISA added three actively exploited Apple vulnerabilities affecting macOS, iOS, iPadOS, Safari, and related platforms to its Known Exploited Vulnerabilities catalog. The flaws included two use-after-free issues and one integer overflow issue that could lead to memory corruption, arbitrary code execution, and in one case kernel-privileged code execution.
CISA adds one vulnerability to KEV catalog
On 2026-01-27, CISA announced it had added one known exploited vulnerability to its Known Exploited Vulnerabilities catalog. The advisory indicates CISA had evidence of active exploitation and urged remediation in line with KEV guidance.
CISA adds four known exploited vulnerabilities to KEV catalog
On 2025-03-04, CISA announced it had added four vulnerabilities to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency said the flaws posed significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds one vulnerability to KEV catalog
On 2024-12-19, CISA announced it had added one known exploited vulnerability to its Known Exploited Vulnerabilities catalog. The advisory indicates CISA had evidence of active exploitation and urged remediation in line with KEV guidance.
CISA adds one vulnerability to KEV catalog
On 2024-08-15, CISA announced it had added one known exploited vulnerability to its Known Exploited Vulnerabilities catalog. The advisory indicates CISA had evidence of active exploitation and urged remediation in line with KEV guidance.
CISA adds three known exploited vulnerabilities to KEV catalog
On 2024-07-17, CISA announced it had added three vulnerabilities to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency said the flaws posed significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds one vulnerability to KEV catalog
On 2024-02-09, CISA announced it had added one known exploited vulnerability to its Known Exploited Vulnerabilities catalog. The advisory indicated CISA had evidence of active exploitation and urged remediation in line with KEV guidance.
CISA adds Microsoft SharePoint flaw CVE-2023-29357 to KEV
On 2024-01-10, CISA added CVE-2023-29357, a Microsoft SharePoint Server privilege escalation vulnerability, to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CISA said this vulnerability type is a common attack vector and urged timely remediation under Binding Operational Directive 22-01.
CISA adds three known exploited vulnerabilities to KEV catalog
On 2023-11-14, CISA announced it had added three vulnerabilities to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency said the flaws posed significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds six known exploited vulnerabilities to KEV catalog
On 2023-11-13, CISA announced it had added six vulnerabilities to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency said the flaws posed significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA adds one known exploited vulnerability to KEV catalog
On 2023-08-21, CISA announced it had added one known exploited vulnerability to its Known Exploited Vulnerabilities catalog. The advisory indicated CISA had evidence of active exploitation and urged remediation in line with Binding Operational Directive 22-01.
CISA adds one known exploited vulnerability to KEV catalog
On 2022-09-23, CISA announced it had added one known exploited vulnerability to its Known Exploited Vulnerabilities catalog. The advisory indicated CISA had evidence of active exploitation and urged remediation in line with Binding Operational Directive 22-01.
CISA adds eight known exploited vulnerabilities to KEV catalog
On 2022-04-11, CISA announced it had added eight vulnerabilities to its Known Exploited Vulnerabilities catalog after determining there was evidence of active exploitation. The agency said these flaws posed significant risk to the federal enterprise and urged prioritized remediation under Binding Operational Directive 22-01.
CISA orders federal agencies to remediate hundreds of exploited flaws
On 2021-11-03, CISA ordered U.S. federal civilian agencies to fix hundreds of known exploited security vulnerabilities under Binding Operational Directive 22-01. The action established remediation deadlines for vulnerabilities in CISA's Known Exploited Vulnerabilities catalog and marked an early major federal push to address actively abused flaws.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
50 references tracked. Mallory keeps watching after this page renders.
CISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceCISA adds Three Vulnerabilities to KEV Catalog - TheCyberThrone
thecyberthrone.in
Open sourceCISA adds Android and Linux kernel flaws to exploited vulnerabilities catalog | brief | SC Media
scworld.com
Open sourceU.S. CISA adds Android and Linux Kernel flaws to its Known Exploited Vulnerabilities catalog
securityaffairs.com
Open sourceCISA Adds Four Known Exploited Vulnerabilities to Catalog | CISA
cisa.gov
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceCISA Adds One Known Exploited Vulnerability to Catalog | CISA
cisa.gov
Open sourceReducing the Significant Risk of Known Exploited Vulnerabilities | CISA
cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
CISA Adds Omnissa Workspace ONE, SolarWinds Web Help Desk, and Ivanti EPM Flaws to KEV Catalog
CISA added three vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2021-22054** (Omnissa *Workspace ONE UEM* / formerly VMware Workspace ONE UEM, **SSRF**), **CVE-2025-26399** (SolarWinds *Web Help Desk*, **deserialization of untrusted data** in `AjaxProxy` enabling command execution), and **CVE-2026-1603** (Ivanti *Endpoint Manager (EPM)*, **authentication bypass**). CISA reiterated that KEV-listed issues are common intrusion vectors and that Federal Civilian Executive Branch (FCEB) agencies must remediate per **BOD 22-01** deadlines, while strongly urging all organizations to prioritize patching/mitigation of KEV entries as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the 2026-03-09 catalog release, increasing the catalog count and adding records for the newly listed CVEs, including short descriptions, required actions, and remediation due dates (e.g., **2026-03-23** for CVE-2021-22054 and **2026-03-12** for CVE-2025-26399). Separate reporting about CISA warning on exploited **Apple** vulnerabilities (macOS/iOS/iPadOS/Safari) describes a different set of CVEs and does not align with the KEV additions in this alert.
Mar 23, 2026
CISA Adds Five Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **five vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of **active exploitation**, urging organizations to prioritize remediation and reminding U.S. Federal Civilian Executive Branch (FCEB) agencies that **BOD 22-01** requires fixes by mandated due dates. The newly added KEVs are **CVE-2017-7921** (Hikvision improper authentication), **CVE-2021-22681** (Rockwell insufficiently protected credentials), and three Apple issues: **CVE-2021-30952** (integer overflow/wraparound), **CVE-2023-41974** (iOS/iPadOS use-after-free), and **CVE-2023-43000** (use-after-free affecting multiple Apple products). CISA emphasized that KEV-listed flaws are common attack vectors and represent elevated risk, even for non-federal organizations. CISA’s public *kev-data* repository reflects the same update, increasing the catalog count from **1531 to 1536** and recording a remediation **due date of 2026-03-26** for at least **CVE-2017-7921** (with required action to apply vendor mitigations or discontinue use if unavailable). Separately, Cisco Talos published a 2025 CVE retrospective that provides broader context on the growing volume of vulnerabilities and KEV additions, noting a year-over-year increase in KEVs and highlighting persistent exploitation of older CVEs; however, it does not add incident-specific details about the five newly listed KEVs beyond reinforcing the operational importance of patching and compensating controls for unpatchable systems.
Mar 26, 2026
CISA Adds Four Actively Exploited Vulnerabilities to the KEV Catalog
CISA added **four vulnerabilities** to its **Known Exploited Vulnerabilities (KEV) Catalog** based on evidence of active exploitation: **CVE-2008-0015** (Microsoft Windows Video ActiveX Control RCE), **CVE-2020-7796** (Synacor *Zimbra Collaboration Suite* SSRF, noted as relevant when the WebEx zimlet is installed and zimlet JSP is enabled), **CVE-2024-7694** (TeamT5 *ThreatSonar Anti-Ransomware* unrestricted file upload that can enable server-side command execution when an attacker has admin access to the platform), and **CVE-2026-2441** (Google Chromium CSS use-after-free). Under **BOD 22-01**, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate KEV-listed issues by CISA’s specified due dates, and CISA urged all organizations to prioritize remediation as part of vulnerability management. CISA’s public KEV data repository was updated to reflect the new catalog release (increasing the total count and adding entries including **CVE-2020-7796** and **CVE-2024-7694** with remediation guidance and metadata). Separately, industry commentary emphasized that KEV is best used as a prioritization input rather than a blanket “panic list,” recommending teams weigh exploitability context (e.g., required privileges/local access vs. remote control) and combine KEV with other signals such as **CVSS**, **EPSS**, and observed exploit tooling to drive patch sequencing.
Mar 21, 2026