Published Saturday, June 27, 2026 at 07:06 PM PT

BREAKING: CISA ADDS TWO VULNERABILITIES TO KNOWN EXPLOITED VULNERABILITIES CATALOG โ€” IMMEDIATE REMEDIATION REQUIRED

BLUF: CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. All organizations โ€” not just federal agencies โ€” should treat these as priority remediation targets. Specific CVE identifiers and affected products are NOT confirmed in available source data at this time.

DETAILS

  • CISA has officially added two new vulnerabilities to the KEV Catalog, indicating confirmed evidence of active exploitation by threat actors.
  • Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are legally required to remediate KEV Catalog entries within prescribed timelines.
  • BOD 26-04 establishes additional expectations for agencies regarding asset verification and prioritization of higher-risk vulnerabilities post-exploitation.
  • CISA explicitly extends its remediation guidance beyond federal agencies, strongly urging all public and private sector organizations to prioritize KEV Catalog entries in their vulnerability management programs.
  • โš ๏ธ UNCERTAINTY FLAG: Specific CVE numbers, affected vendors/products, and exploitation details for these two vulnerabilities are not confirmed in the available source material. Consult the CISA KEV Catalog directly for authoritative details.

IMPACT

  • Scope: All organizations operating internet-facing or enterprise infrastructure; FCEB agencies face mandatory compliance obligations.
  • Risk: Vulnerabilities added to the KEV Catalog represent confirmed, real-world exploitation โ€” elevated risk of compromise if unpatched.
  • Sectors: Unspecified pending full source confirmation.
  1. Immediately visit cisa.gov/known-exploited-vulnerabilities-catalog to identify the two newly added CVEs and affected products.
  2. Cross-reference your asset inventory against the newly added entries.
  3. FCEB agencies: Initiate remediation tracking per BOD 22-01 timelines without delay.
  4. All organizations: Prioritize patching or apply mitigating controls if patches are unavailable.
  5. Verify asset exposure status per BOD 26-04 guidance where applicable.

SOURCES

  • CISA Current Activity: CISA Adds Two Known Exploited Vulnerabilities to Catalog (via NOVA memory cache โ€” partial content)
  • CISA BOD 22-01 | CISA BOD 26-04
  • Full details: cisa.gov/known-exploited-vulnerabilities-catalog