// #cisa-kev
54 articles — page 1 of 3
Cisco Catalyst SD-WAN Manager CVE-2026-20262 Actively Exploited — Arbitrary File Overwrite Escalates to Root
A file upload vulnerability in Cisco Catalyst SD-WAN Manager is under active exploitation, allowing an attacker with network-operator level access to overwrite arbitrary files on the underlying operating system and escalate privileges to root. CISA added CVE-2026-20262 to the Known Exploited Vulnerabilities catalogue on 16 June, setting a federal remediation deadline.
PAN-OS GlobalProtect CVE-2026-0257 (CVSS 9.3): Authentication Bypass Exploited Against Government and Critical Infrastructure
Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass in the GlobalProtect gateway that allows an unauthenticated attacker to establish VPN sessions as arbitrary users. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue, and Palo Alto's Unit 42 has observed exploitation targeting government and critical infrastructure networks since at least 12 June.
Ivanti Sentry CVE-2026-10523 (CVSS 9.9): Second Critical Flaw Chains with CVE-2026-10520 for Complete Device Takeover
Ivanti has disclosed a second critical vulnerability in Sentry — CVE-2026-10523, an authentication bypass scoring CVSS 9.9 — that chains with the previously patched CVE-2026-10520 (CVSS 10.0) to enable complete unauthenticated takeover of the MDM gateway. Organisations that deployed the initial patch must apply additional updates; the two CVEs affect overlapping but distinct code paths.
The AI Infrastructure Security Deficit: Langflow, LiteLLM, and a Repeating Pattern
Two AI infrastructure components — Langflow and LiteLLM — have reached the CISA Known Exploited Vulnerabilities catalogue in June 2026, both with command injection vulnerabilities in Python-based AI tooling. The pattern reflects a systemic gap: AI infrastructure is being deployed in enterprise environments under procurement and security processes designed for end-user applications, not for server-side infrastructure with network-accessible APIs.
Ivanti Sentry CVE-2026-10520: CVSS 10.0 Pre-Authentication RCE Exploited After PoC Release
Ivanti has disclosed CVE-2026-10520, a CVSS 10.0 pre-authentication remote code execution vulnerability in Ivanti Sentry (formerly MobileIron Sentry) that is being actively exploited following public proof-of-concept release. A companion OS command injection flaw CVE-2026-10523 (CVSS 9.4) affects the same platform. Both require immediate action for all organisations running Ivanti Sentry in their mobile device management infrastructure.
Langflow CVE-2026-5027 Exploitation Accelerates: AI Workflow Builder's Path Traversal RCE Under Active Attack
Exploitation of CVE-2026-5027 in Langflow, the AI workflow builder, has intensified following public PoC release. The path traversal remote code execution vulnerability, added to CISA's KEV on 8 June, is being used to deploy credential stealers and post-exploitation agents against organisations running unsecured Langflow instances. Upgrade to Langflow 1.3.5 immediately.
Google Chrome Zero-Day CVE-2026-11645: V8 Out-of-Bounds Write Actively Exploited Before Patch
Google has released Chrome 149.0.7762.95 patching CVE-2026-11645, an out-of-bounds write in the V8 JavaScript engine that was actively exploited before disclosure. CISA has added the flaw to the Known Exploited Vulnerabilities catalogue. All users and enterprise deployments should update immediately — CISA's federal deadline is 30 June.
CISA Adds Chrome V8 Zero-Day, Cisco SD-WAN, and Arista EOS to Known Exploited Vulnerabilities Catalogue
CISA added three vulnerabilities to the KEV catalogue on 9 June: Google Chrome CVE-2026-11645 (V8 out-of-bounds write, actively exploited), Cisco SD-WAN CVE-2026-20245 (authentication bypass), and Arista EOS CVE-2026-7473 (privilege escalation command injection). Federal agencies face a 30 June remediation deadline across all three.
CVE-2026-50751: Check Point Security Gateway Authentication Bypass Actively Exploited in Ransomware Campaigns
CISA added CVE-2026-50751 to the Known Exploited Vulnerabilities catalogue on 8 June with a three-day remediation deadline and confirmed ransomware campaign use. The vulnerability is a CVSS 9.3 authentication bypass in Check Point Security Gateway's IKEv1 VPN protocol handling that allows unauthenticated attackers to bypass remote access VPN authentication entirely. An emergency hotfix is available.
CVE-2026-42271: BerriAI LiteLLM Command Injection Reaches CISA KEV — AI Infrastructure Under Attack
CISA added CVE-2026-42271 in BerriAI LiteLLM to the Known Exploited Vulnerabilities catalogue on 8 June, confirming active exploitation of a command injection vulnerability that allows API keys with limited privileges to execute arbitrary commands on the LiteLLM host. Organisations running LiteLLM as an AI gateway should update to v1.83.7-stable immediately.
CISA KEV June 2026 Tracker: Vulnerability Additions, BOD 22-01 Deadlines, and Remediation Priorities
The CISA Known Exploited Vulnerabilities catalogue added three entries in the first week of June 2026, including the Oracle WebLogic deserialization vulnerability (CVE-2024-21182) and the Mirasvit Magento RCE (CVE-2026-45247). This tracker consolidates the June additions with their remediation deadlines and documents the patch availability status for each.
CVE-2026-45247: CISA Adds Mirasvit Magento Cache Warmer RCE to KEV — Unauthenticated PHP Deserialization Exploited in Wild
CISA added CVE-2026-45247 to the Known Exploited Vulnerabilities catalogue on 3 June, confirming active exploitation of a CVSS 9.8 PHP deserialization vulnerability in the Mirasvit Full Page Cache Warmer extension for Magento 2. Attackers exploit a malicious serialised cookie value to execute arbitrary code without authentication. The patch has been available since 25 May; organisations running Mirasvit FPC Warmer must update immediately.
Oracle WebLogic CVE-2024-21182 Added to CISA KEV — Federal Deadline June 4 as Ransomware Payloads Observed
CISA added CVE-2024-21182 to the Known Exploited Vulnerabilities catalogue on 1 June, citing confirmed active exploitation of the Oracle WebLogic Server unauthenticated remote attack vulnerability. Honeypot data shows attackers delivering Cobalt Strike beacons and ransomware payloads via the T3/IIOP protocol attack path. Federal civilian agencies must remediate by 4 June.
CISA KEV May 2026: Complete List of Known Exploited Vulnerabilities Added This Month and Enterprise Response Guidance
CISA's Known Exploited Vulnerabilities catalogue received multiple additions in May 2026, including developer toolchain supply-chain compromises, network appliance vulnerabilities, and Microsoft Windows flaws. This guide consolidates the May 2026 KEV additions with enterprise response guidance for each category.
CISA Adds Three Developer Toolchain Supply-Chain Attacks to KEV — DAEMON Tools, TanStack Query, Nx Console Compromised
CISA added three software supply-chain vulnerabilities to the Known Exploited Vulnerabilities catalogue on 27 May: CVE-2026-8398 (DAEMON Tools signed installer trojanised), CVE-2026-45321 (TanStack Query malicious npm package), and CVE-2026-48027 (Nx Console VS Marketplace extension backdoored). All three are attributed to TeamPCP's 'Mini Shai-Hulud' campaign targeting developer workstations.
PAN-OS GlobalProtect CVE-2026-0257: Rapid7 Confirms Second Exploitation Wave — CISA Adds to KEV
Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.
CISA Adds Seven to KEV Catalogue — Including Two Active Microsoft Defender Zero-Days Patched via Silent Engine Update
CISA's 20 May Known Exploited Vulnerabilities batch included CVE-2026-41091 (Microsoft Defender for Endpoint EoP, CVSS 7.8) and CVE-2026-45498 (Microsoft Defender DoS, CVSS 4.0), both patched via a silent Defender engine update pushed on 19 May. The batch also included five legacy Windows and Adobe vulnerabilities from 2008–2010 indicating re-exploitation of outdated systems in active campaigns.
Cisco SD-WAN CVE-2026-20182 Post-Compromise Forensics: Identifying Rogue Device Injection in Catalyst SD-WAN Deployments
CVE-2026-20182, the CVSS 10.0 Cisco Catalyst SD-WAN Manager zero-day added to CISA KEV on 14 May, was exploited before Cisco released the patch. Organisations that ran vManage on publicly accessible addresses during the exposure window must now forensically audit their SD-WAN device inventory and API authentication logs for signs of rogue device registration and traffic interception.
Microsoft Exchange Server Zero-Day CVE-2026-42897 Actively Exploited in XSS Attacks — OOB Mitigation Available, No Patch Yet
Microsoft disclosed an actively exploited cross-site scripting zero-day in Exchange Server (CVE-2026-42897) that allows attackers to inject malicious scripts into Outlook Web App sessions, hijack authenticated user sessions, and exfiltrate email content. No patch is available. Microsoft deployed an Emergency Exchange Mitigation Service (EEMS) rule as an interim control while a patch is developed.
Cisco Catalyst SD-WAN CVE-2026-20182 CVSS 10.0 Authentication Bypass Exploited as Zero-Day — Attackers Injecting Rogue SD-WAN Devices
Cisco disclosed a CVSS 10.0 authentication bypass in the Catalyst SD-WAN Manager that has been actively exploited as a zero-day, allowing unauthenticated attackers to inject rogue SD-WAN devices into the management plane and intercept or reroute enterprise WAN traffic. The vulnerability has been added to CISA's Known Exploited Vulnerabilities catalogue with a 72-hour patching deadline for federal agencies.
Ivanti EPMM CVE-2026-6973 — Remote Code Execution Added to CISA KEV, Patch Required
Ivanti has disclosed CVE-2026-6973, a remote code execution vulnerability in Endpoint Manager Mobile (EPMM, formerly MobileIron) that has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed limited exploitation. EPMM is a mobile device management platform used by government agencies and enterprises. Organisations should apply the available patch and audit administrator account activity. EPMM has a prior history of critical exploitation including the 2023 Norwegian government attack.
LiteLLM CVE-2026-42208 — SQL Injection in AI Gateway Proxy Added to CISA KEV
CVE-2026-42208, a SQL injection vulnerability in the LiteLLM AI gateway proxy, has been added to the CISA Known Exploited Vulnerabilities catalogue following confirmed exploitation. LiteLLM is widely deployed in enterprise environments as a unified API layer routing requests to multiple LLM providers (OpenAI, Anthropic, Azure OpenAI, Bedrock). Exploitation allows an attacker to read and modify the LiteLLM database, including API keys, user records, and model configuration. Update to LiteLLM 1.42.2 immediately.
PAN-OS CVE-2026-0300 — Unauthenticated RCE Zero-Day Actively Exploited in Firewall Espionage Attacks
A critical unauthenticated remote code execution vulnerability in Palo Alto Networks PAN-OS has been under active exploitation since at least early April 2026, linked to espionage-motivated threat actors targeting government and critical infrastructure networks. CVE-2026-0300 affects the User-ID authentication portal on VM-Series and hardware firewalls; CISA added it to the KEV catalogue on 6 May 2026. Patches are available — apply immediately.
Linux CopyFail LPE Added to CISA KEV With Active Exploitation Confirmed — CVE-2026-31431
CISA has added CVE-2026-31431 — the Linux kernel copy-on-write race condition LPE disclosed last week as 'CopyFail' — to the Known Exploited Vulnerabilities catalogue following confirmed active exploitation. All major Linux distributions have patches available. Federal agencies face a May 20 remediation deadline and all enterprise organisations should treat kernel patching as urgent.