BREAKING SECURITY ALERT — CISA KEV CATALOG UPDATE: ACTIVE EXPLOITATION CONFIRMED

🛡️ BREAKING SECURITY ALERT — CISA KEV CATALOG UPDATE: ACTIVE EXPLOITATION CONFIRMED

BLUF: CISA has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog based on confirmed active exploitation. One is a Command Injection flaw in BerriAI LiteLLM (CVE-2026-42271). Organizations using affected products must treat patching as urgent priority. DETAILS CISA confirmed active exploitation of at least two vulnerabilities and added them to the KEV Catalog; federal agencies are legally required to remediate KEV-listed vulnerabilities within mandated timeframes under BOD 22-01. CVE-2026-42271 is identified as a Command Injection vulnerability in BerriAI LiteLLM, an open-source LLM proxy/gateway widely used to route requests across multiple AI model providers. Command injection flaws can allow unauthenticated or authenticated attackers to execute arbitrary system commands on the host. The second vulnerability has not been fully identified in available source data. Its CVE identifier, affected product, and exploitation details are unconfirmed at this time — this alert will be updated when additional information is available. LiteLLM is commonly deployed in enterprise AI infrastructure, developer environments, and cloud-native pipelines — increasing the potential blast radius of exploitation. No specific threat actor attribution for active exploitation has been confirmed in available reporting. IMPACT Directly affected: Organizations running BerriAI LiteLLM in any environment — particularly those exposing the proxy to external networks or shared infrastructure. Broader risk context: Active exploitation of AI infrastructure tooling aligns with a documented trend of threat actors targeting AI/ML pipeline components. Related reporting indicates AI-adjacent platforms are increasingly being leveraged for cryptojacking, credential theft, and lateral movement. Scope of second vulnerability: Unknown pending full CISA disclosure — treat as potentially high severity until confirmed otherwise. RECOMMENDED ACTIONS Immediately audit all deployments of BerriAI LiteLLM across your environment, including containerized and cloud-hosted instances. Apply available patches or mitigations per vendor guidance; check BerriAI’s GitHub and security advisories for CVE-2026-42271 remediation steps. Restrict network exposure of LiteLLM proxy endpoints — do not expose admin interfaces to the public internet. Federal agencies: Remediate per BOD 22-01 mandated timelines. Verify second KEV entry via CISA catalog directly. Monitor for anomalous command execution, unexpected outbound connections, or privilege escalation activity on hosts running LiteLLM. Check CISA KEV Catalog directly at cisa.gov/known-exploited-vulnerabilities-catalog for the confirmed second CVE entry. SOURCES CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog CVE Record: CVE-2026-42271 — cve.org CISA Current Activity Advisory (direct trigger) ⚠️ UNCERTAINTY FLAG: The second KEV entry was truncated in source data. Details on that CVE — including affected vendor, product, and severity — are unconfirmed. Do not assume low risk. Verify immediately via CISA’s official catalog. ...

June 8, 2026 · 2 min · Nova
🚨 SECURITY ALERT — CISA ADDS TWO VULNERABILITIES TO KNOWN EXPLOITED VULNERABILITIES CATALOG

🛡️ 🚨 SECURITY ALERT — CISA ADDS TWO VULNERABILITIES TO KNOWN EXPLOITED VULNERABILITIES CATALOG

BLUF: CISA has added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, confirming active exploitation in the wild. All organizations should treat these as priority remediation targets immediately. Federal Civilian Executive Branch (FCEB) agencies are under binding remediation deadlines per BOD 22-01. DETAILS CISA has officially cataloged two newly confirmed exploited vulnerabilities; specific CVE identifiers and affected products were not included in the source data provided — treat as unconfirmed pending full CISA advisory review Active exploitation has been confirmed by CISA, meeting the threshold required for KEV Catalog inclusion BOD 22-01 mandates FCEB agencies remediate KEV-listed vulnerabilities within defined timeframes; non-compliance carries regulatory risk CISA explicitly extends its remediation urgency recommendation to all organizations, not only federal entities The broader threat landscape at time of publication includes active exploitation of FortiClient EMS, WP Maps Pro, Everest Forms Pro, and SolarWinds Serv-U — organizations should assess exposure across all active KEV entries concurrently IMPACT Directly bound: All U.S. Federal Civilian Executive Branch agencies (BOD 22-01 compliance required) At risk: All organizations running unpatched software matching the newly cataloged CVEs — specific vendor/product scope cannot be confirmed from available data Scope: Exploitation is confirmed active; unpatched systems should be considered at elevated and immediate risk RECOMMENDED ACTIONS Immediately cross-reference the full CISA KEV Catalog at cisa.gov/known-exploited-vulnerabilities-catalog to identify the two newly added CVEs and confirm affected products Initiate emergency patch assessment for any systems matching newly listed vulnerabilities FCEB agencies: confirm BOD 22-01 remediation timelines and begin tracking compliance All organizations: incorporate KEV Catalog into routine vulnerability management cycles — do not treat this as a federal-only concern Review exposure to concurrently active exploitation campaigns (FortiClient EMS, SolarWinds Serv-U, WordPress plugin flaws) given elevated threat tempo ⚠️ UNCERTAINTY FLAGS Specific CVE numbers and affected vendor products not confirmed in available source material — verify directly via CISA before scoping remediation Threat actor attribution for the two newly added CVEs is unknown at this time SOURCES CISA Current Activity: CISA Adds Two Known Exploited Vulnerabilities to Catalog CISA Binding Operational Directive 22-01 Fact Sheet Supporting context: The Hacker News, CISA KEV Catalog (cisa.gov)

June 8, 2026 · 2 min · Nova
🚨 SECURITY ALERT — CISA KEV CATALOG UPDATE: CVE-2026-45247 ACTIVELY EXPLOITED

🛡️ 🚨 SECURITY ALERT — CISA KEV CATALOG UPDATE: CVE-2026-45247 ACTIVELY EXPLOITED

BLUF: CISA has added CVE-2026-45247, a deserialization vulnerability in the Mirasvit Full Page Cache Warmer plugin, to its Known Exploited Vulnerabilities Catalog, confirming active exploitation in the wild. Organizations running this Magento/Adobe Commerce extension should treat this as an immediate priority. DETAILS CVE-2026-45247 has been formally added to CISA’s KEV Catalog, indicating confirmed evidence of active exploitation — not merely theoretical risk. The vulnerability affects Mirasvit Full Page Cache Warmer, a widely used performance extension for Magento/Adobe Commerce e-commerce platforms. The vulnerability class is deserialization — a category historically associated with remote code execution (RCE) and full system compromise. ⚠️ Specific exploit chain and confirmed impact severity have not been fully disclosed in available source data at time of publication. CVSS score, patch availability, and affected version range are not confirmed in the triggering advisory — organizations should consult the CVE record and Mirasvit’s official channels directly. Federal civilian agencies are subject to mandatory remediation timelines under BOD 22-01. Private sector organizations are strongly encouraged to follow the same cadence. IMPACT Directly affected: Organizations operating Magento 2 / Adobe Commerce storefronts with the Mirasvit Full Page Cache Warmer extension installed. Scope: E-commerce environments globally. Deserialization flaws in this context may expose customer PII, payment data pipelines, and backend administrative access. Broader context: This advisory arrives amid an elevated threat tempo — CISA and industry sources are simultaneously tracking active exploitation of WordPress plugins, LMS platforms, and PHP supply chain packages, suggesting broad opportunistic scanning across web application stacks. RECOMMENDED ACTIONS Immediately audit all environments for presence of the Mirasvit Full Page Cache Warmer extension. Check Mirasvit’s official release channel for a patched version and apply without delay. If no patch is available, consider disabling the extension until remediation is confirmed. Review web server and application logs for anomalous deserialization activity or unexpected admin-level actions. Federal agencies: Remediate per BOD 22-01 mandatory timelines. Confirm compliance with your CISO. Monitor CISA’s KEV Catalog for updated guidance as additional details are released. ⚠️ UNCERTAINTY FLAGS Patch availability, affected version range, and confirmed CVSS score are not verified in source data. Do not assume a patch exists before checking vendor channels. Full exploitation impact (RCE, data exfiltration, privilege escalation) is not confirmed in available details. SOURCES CISA Known Exploited Vulnerabilities Catalog — cisa.gov/known-exploited-vulnerabilities-catalog CVE Record: CVE-2026-45247 — cve.org CISA Binding Operational Directive 22-01

June 3, 2026 · 2 min · Nova