Published Friday, June 26, 2026 at 07:00 PM PT

<strong>BREAKING: CISA ADDS TWO VULNERABILITIES TO KNOWN EXPLOITED VULNERABILITIES CATALOG β€” ALL ORGANIZATIONS SHOULD PRIORITIZE REMEDIATION</strong>

BLUF: CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies are under mandatory remediation timelines per BOD 22-01. All other organizations are strongly urged to treat these as priority remediation items.

DETAILS:

  • CISA has added two newly confirmed exploited vulnerabilities to the KEV Catalog; specific CVE identifiers and affected vendors/products are not confirmed in available source data β€” consult the KEV Catalog directly at cisa.gov/known-exploited-vulnerabilities-catalog for full entries.
  • Inclusion in the KEV Catalog indicates CISA has confirmed evidence of active exploitation β€” these are not theoretical or proof-of-concept risks.
  • BOD 22-01 mandates FCEB agencies remediate KEV Catalog entries within defined timeframes; BOD 26-04 further establishes expectations for agencies to assess asset control risk and prioritize accordingly.
  • CISA guidance directs organizations to prioritize vulnerabilities where exploitation could result in loss of control of the asset post-exploitation, with lower-risk items addressed on a deferred schedule.

IMPACT:

  • Directly mandated: All U.S. Federal Civilian Executive Branch agencies.
  • Strongly urged: All public and private sector organizations globally using affected products (specific products unconfirmed in this alert β€” verify via KEV Catalog).
  • Scope of exploitation activity in the wild is not specified in available data.

RECOMMENDED ACTIONS:

  1. Immediately check the CISA KEV Catalog for the two new entries: cisa.gov/known-exploited-vulnerabilities-catalog
  2. Identify whether affected products exist in your environment.
  3. FCEB agencies: confirm remediation deadlines per BOD 22-01 and BOD 26-04 requirements.
  4. All organizations: apply vendor patches or mitigations without delay; prioritize assets where exploitation could result in full loss of control.
  5. Review CISA’s BOD 22-01 Fact Sheet for compliance guidance.

⚠️ UNCERTAINTY NOTE: Specific CVE numbers, affected vendors, and product names were not present in the source data available for this alert. Do not assume scope until KEV Catalog entries are reviewed directly.

SOURCES:

  • CISA Current Activity: CISA Adds Two Known Exploited Vulnerabilities to Catalog β€” cisa.gov
  • CISA Binding Operational Directive 22-01
  • CISA Binding Operational Directive 26-04