Published Monday, June 29, 2026 at 07:09 AM PT

BREAKING SECURITY ALERT β€” CISA KEV CATALOG UPDATE: THREE NEW ACTIVELY EXPLOITED VULNERABILITIES ADDED

BLUF: CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. Federal Civilian Executive Branch (FCEB) agencies face mandatory remediation deadlines under BOD 22-01. All organizations should treat these as priority patching targets immediately.

DETAILS

  • CISA has added three vulnerabilities to the KEV Catalog, indicating confirmed active exploitation β€” not theoretical risk.
  • Under Binding Operational Directive (BOD) 22-01, FCEB agencies are legally required to remediate KEV-listed vulnerabilities by CISA-assigned deadlines.
  • Specific CVE identifiers, affected vendors/products, and remediation due dates are not confirmed in the source data provided β€” organizations should consult the CISA KEV Catalog directly for authoritative details.
  • This update follows a pattern of frequent KEV additions in recent weeks, including prior single, two, and seven-vulnerability additions β€” indicating sustained, broad exploitation activity across multiple product categories.
  • CISA’s guidance explicitly extends urgency beyond federal agencies to all organizations, public and private sector.

IMPACT

  • Directly mandated: All U.S. FCEB agencies β€” compliance deadlines apply.
  • Strongly urged: All private sector, state/local government, and critical infrastructure operators.
  • Scope of affected products: Unknown pending full catalog review β€” verify at cisa.gov/known-exploited-vulnerabilities-catalog.
  1. Immediately review the CISA KEV Catalog for the three newly added CVEs and identify whether affected products exist in your environment.
  2. Apply vendor-supplied patches or mitigations per CISA-specified deadlines β€” FCEB agencies treat this as mandatory.
  3. If patches are unavailable, implement compensating controls and isolate affected systems where operationally feasible.
  4. Review BOD 22-01 Fact Sheet for federal compliance obligations.
  5. Enroll in CISA KEV notifications to receive future updates without delay.

⚠️ UNCERTAINTY FLAGS

  • Specific CVEs, affected vendors, and due dates are not confirmed in available source data. Do not assume scope until catalog is reviewed directly.
  • Exploitation methods and threat actor attribution are unknown at this time.

SOURCES