// #cisa-kev
54 articles — page 2 of 3
CISA KEV Additions: Windows Shell Spoofing CVE-2026-32202 and Cisco SD-WAN Sensitive File Exposure CVE-2026-20133
CISA's late-April Known Exploited Vulnerabilities additions include a Windows Shell protection mechanism failure under active exploitation and a Cisco Catalyst SD-WAN Manager flaw allowing unauthenticated access to sensitive OS files. Federal agencies face a May 12 remediation deadline for CVE-2026-32202; enterprise organisations should treat both additions as confirmation of active threat actor interest and patch accordingly.
D-Link DIR-823X Command Injection CVE-2025-29635 Added to CISA KEV — Mirai Botnet Exploiting Actively
CVE-2025-29635, an authenticated command injection in D-Link DIR-823X routers, has been added to CISA's Known Exploited Vulnerabilities catalogue following an active Mirai botnet campaign documented by Akamai. CVSS 7.2 understates the real risk: D-Link DIR-823X reached end of life, meaning no patch will be issued. Organisations with these routers must replace them. Federal deadline: May 19, 2026.
CISA Adds Four Exploited Flaws to KEV — SimpleHelp RMT and Samsung MagicINFO Head New Additions
CISA's Known Exploited Vulnerabilities catalogue has grown by four entries including critical flaws in SimpleHelp remote management tooling and Samsung's MagicINFO digital signage platform. Federal agencies face a May 2026 remediation deadline. Enterprise operators of RMM tools and display infrastructure should treat these as urgent.
CISA Adds Quest KACE (CVSS 10.0), Kentico Xperience, and Zimbra ZCS to Known Exploited Vulnerabilities — Federal Deadline May 4
CISA's April 2026 KEV additions include a CVSS 10.0 unauthenticated SQL injection in Quest KACE Systems Management Appliance, active exploitation of Kentico Xperience CMS, and Zimbra Collaboration Suite vulnerabilities. Federal agencies have a May 4 remediation deadline; enterprise organisations should treat confirmed KEV additions as indicators of active attacker tooling and prioritise these systems immediately.
CISA Adds Eight CVEs to KEV: PaperCut, JetBrains TeamCity, and Cisco SD-WAN Actively Exploited
CISA's April 20 Known Exploited Vulnerabilities addition is the largest single-day batch this month, confirming active exploitation across enterprise print management, CI/CD pipelines, content management, and Cisco SD-WAN infrastructure. The batch spans CVE publication years from 2023 to 2026, demonstrating that unpatched legacy vulnerabilities continue to be weaponised alongside newly disclosed flaws. Federal agencies face a BOD 22-01 remediation deadline, and private sector organisations should treat these as immediate prioritisation signals.
CISA Confirms Active Exploitation of Windows Task Host Privilege Escalation CVE-2025-60710 — Four Public Exploits Available
A link-following flaw in the Windows Host Process for Tasks allows any local user to escalate to SYSTEM privileges. Patched in November 2025, CVE-2025-60710 has been confirmed as actively exploited — CISA added it to the Known Exploited Vulnerabilities catalogue on 13 April with a 27 April federal deadline. Four public proof-of-concept exploits are now freely available on GitHub.
Google Patches Fourth Chrome Zero-Day of 2026 — CVE-2026-5281 Use-After-Free in WebGPU
Google has patched CVE-2026-5281, a use-after-free vulnerability in Chrome's Dawn WebGPU implementation that is being actively exploited in the wild. This is the fourth Chrome zero-day exploited in attacks in 2026. CISA added it to the KEV catalogue on 1 April with a deadline of 15 April for federal agencies. Update to Chrome 146.0.7680.177/178.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Emergency Hotfix Available
A pre-authentication remote code execution zero-day in Fortinet FortiClient Enterprise Management Server (CVE-2026-35616, CVSS 9.1) has been under active exploitation since 31 March 2026, ahead of Fortinet's advisory. CISA added it to the KEV catalogue on 6 April with a federal deadline of 9 April. An emergency hotfix is available without requiring system downtime.
CISA Flags SharePoint Zero-Day CVE-2026-32201 as Actively Exploited — Patch Arrives Tomorrow
CISA has added CVE-2026-32201, a Microsoft SharePoint Server spoofing vulnerability under active exploitation, to the KEV catalogue with a 28 April remediation deadline. The timing is unusual: Microsoft has not yet released a patch as of this alert, with the fix expected in tomorrow's Patch Tuesday release. Organisations must decide whether to implement mitigations today or accept overnight exposure until the patch lands.
Adobe Acrobat Reader Zero-Day CVE-2026-34621 Exploited for Four Months Before Patch
Adobe has released an emergency patch for CVE-2026-34621, a prototype pollution vulnerability in Acrobat Reader that has been actively exploited since at least November 2025. Opening a crafted PDF triggers JavaScript execution that fingerprints the victim's system and can deploy RCE and sandbox escape payloads. CISA added the CVE to the KEV catalogue the same day, requiring federal agencies to patch by 27 April.
CISA Adds Seven CVEs to KEV Including Decade-Old Microsoft Bugs Exploited by Storm-1175
CISA has added seven vulnerabilities to the Known Exploited Vulnerabilities catalogue, including four Microsoft flaws spanning from 2012 to 2025 being actively leveraged by the Storm-1175 ransomware group. The additions highlight a persistent patching blind spot: vulnerabilities patched years ago that never made it into legacy system maintenance cycles, now routinely weaponised for initial access and privilege escalation.
Second Critical FortiClient EMS Flaw in a Month: CVE-2026-21643 Pre-Auth SQL Injection Exposed
Bishop Fox has published full technical details of CVE-2026-21643, a CVSS 9.8 pre-authentication SQL injection in Fortinet FortiClient EMS 7.4.4 that enables unauthenticated remote code execution. The flaw is distinct from last week's CVE-2026-35616 and affects a different version — organisations that patched for CVE-2026-35616 by upgrading to 7.4.5 or 7.4.6 may now be running a version vulnerable to the newer access control flaw.
CISA Adds Ivanti EPMM CVE-2026-1340 to KEV — Federal Patch Deadline Today
CISA has added CVE-2026-1340, a critical unauthenticated remote code execution flaw in Ivanti Endpoint Manager Mobile, to the Known Exploited Vulnerabilities catalogue with a federal agency deadline of 11 April. The vulnerability chains with CVE-2026-1281 to enable full appliance takeover and has been actively exploited since January 2026. All organisations running Ivanti EPMM on-premises must patch immediately.
Palo Alto PAN-OS CVE-2026-3197: SAML Auth Bypass Under Mass Exploitation by Nation-State Actors
A critical SAML authentication bypass in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to gain administrative firewall access. CVE-2026-3197 chains with a command injection flaw to achieve root-level OS execution and is being exploited by at least three distinct threat actor clusters including a China-nexus nation-state group. CISA has added it to the KEV catalogue.
Citrix NetScaler CVE-2026-3055 Actively Exploited — CISA Orders Patch by 2 April
A critical unauthenticated memory overread vulnerability in Citrix NetScaler ADC and NetScaler Gateway is being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities catalogue. Appliances configured as SAML Identity Providers are leaking sensitive memory contents including session tokens via a crafted SAML request.
Fortinet FortiClient EMS Zero-Day CVE-2026-35616 Actively Exploited — Apply Emergency Hotfix Now
A critical pre-authentication API bypass in Fortinet FortiClient EMS (CVSS 9.1) is being actively exploited in the wild, with CISA adding the vulnerability to its Known Exploited Vulnerabilities catalogue on 6 April. Organisations running FortiClient EMS 7.4.5 or 7.4.6 must apply the emergency hotfix immediately — FCEB agencies faced a remediation deadline of 9 April.
Citrix CVE-2026-3055 Confirmed Exploited — CISA KEV Addition Triggers Mandatory Patch Deadline
CISA added CVE-2026-3055 to its Known Exploited Vulnerabilities catalogue on 30 March, confirming active exploitation of the critical Citrix NetScaler memory overread vulnerability disclosed the previous week. NetScaler appliances configured as SAML Identity Providers are leaking session tokens from memory, allowing attackers to impersonate users without credentials. Organisations must patch immediately.
March 2026 Brought 83 Patch Tuesday CVEs and Three CISA KEV Additions — How to Prioritise
March 2026's Patch Tuesday addressed 83 vulnerabilities including three critical Office RCEs, an Active Directory privilege escalation now in CISA's KEV catalogue, and a Kerberos security feature bypass. Add three separate CISA KEV additions throughout the month — F5 BIG-IP, Citrix NetScaler, and Active Directory — and security teams are managing a substantial patching backlog entering April. This analysis cuts through the volume to identify where to focus.
Active Directory Privilege Escalation CVE-2026-25177 Added to CISA KEV — Domain Admin Risk via SPN Abuse
CVE-2026-25177, a privilege escalation vulnerability in Active Directory Domain Services patched in March's Patch Tuesday, has been added to CISA's Known Exploited Vulnerabilities catalogue. An authenticated attacker with low-privileged domain credentials can exploit improper SPN and UPN name validation to escalate to domain administrator level. The KEV addition confirms in-the-wild exploitation approximately three weeks after patching was available.
F5 BIG-IP APM Vulnerability Reclassified as Critical RCE — CISA Mandates Three-Day Patch Window
A vulnerability in F5 BIG-IP Access Policy Manager initially classed as denial-of-service has been reclassified as critical remote code execution with CVSS 9.8 after active exploitation was confirmed. CISA added CVE-2025-53521 to its Known Exploited Vulnerabilities catalogue on 27 March and set a three-day patch deadline for federal agencies. All organisations running BIG-IP APM should treat this as an emergency.
Langflow RCE CVE-2026-33017 Exploited Within 20 Hours, Added to CISA KEV
A critical unauthenticated remote code execution vulnerability in Langflow AI pipeline builder was exploited in the wild within 20 hours of disclosure, with attackers harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances. CISA added CVE-2026-33017 to the Known Exploited Vulnerabilities catalogue on 26 March, making patching mandatory for US federal agencies.
MongoBleed CVE-2025-14847: 87,000 Exposed MongoDB Instances Under Active Attack, Memory Leaking Credentials
CVE-2025-14847, named MongoBleed, is an unauthenticated memory disclosure vulnerability in MongoDB Server that allows attackers to read uninitialized heap memory from any internet-exposed instance. With 87,000 potentially vulnerable deployments globally and CISA KEV inclusion confirmed, active exploitation campaigns are targeting MongoDB instances to extract credentials, API keys, and sensitive data cached in server memory. The fix has been available since December 2025.
Interlock Ransomware Exploited Cisco FMC Zero-Day for 36 Days Before Patch — Root Access on Enterprise Firewalls
Cisco's Firepower Management Center (FMC) contains a CVSS 10.0 deserialization vulnerability that Interlock ransomware was exploiting as a zero-day for 36 days before Cisco disclosed or patched it. CVE-2026-20131 allows unauthenticated remote attackers to execute arbitrary Java code as root on any internet-exposed FMC appliance. Cisco patched the flaw on 4 March 2026, but unpatched appliances remain under active ransomware targeting.
Craft CMS CVSS 10 Code Injection CVE-2025-32432 Added to CISA KEV
CISA added CVE-2025-32432, a maximum-severity code injection vulnerability in Craft CMS, to its Known Exploited Vulnerabilities catalogue on 20 March 2026. The flaw allows unauthenticated remote attackers to execute arbitrary code on any publicly accessible Craft CMS installation. Exploitation has been ongoing since at least February 2025 and the Mimo threat actor has been actively using it to deploy cryptocurrency miners and residential proxy malware.