
Known Exploited Vulnerabilities
CISA's catalogue of CVEs confirmed as actively exploited; mandatory patch deadlines for US federal agencies.
Last refreshed: 14 July 2026 · Appears in 1 active topic
Is the 2022 patch or the 2024 patch the one breaking into networks right now?
Timeline for Known Exploited Vulnerabilities
A quiet KEV fortnight, then a 2008 bug
Cybersecurity: Threats and DefencesMentioned in: BOD 26-04, a fortnight of triage
Cybersecurity: Threats and DefencesMentioned in: BlueHammer turns into a ransomware step
Cybersecurity: Threats and DefencesMentioned in: SharePoint patch clock runs out today
Cybersecurity: Threats and DefencesMentioned in: Cisco tops a five-vendor KEV batch
Cybersecurity: Threats and DefencesHas the pace of new CISA KEV additions slowed down?
What is the oldest vulnerability in CISA's KEV catalogue?
Does the CISA KEV catalogue apply to private companies?
Background
The CISA Known Exploited Vulnerabilities (KEV) catalogue is the primary operational mechanism for communicating mandatory patch obligations to Federal Civilian Executive Branch (FCEB) agencies and urgency signals to private-sector organisations. The KEV catalogue was established under CISA's Binding Operational Directive 22-01 in November 2021. FCEB agencies must remediate KEV CVEs within specified windows: typically 14 days for non-critical and 2-7 days for critical, with Emergency Directives applying the shortest windows to the highest-severity active exploitation cases. Private-sector organisations are not bound by BOD 22-01 but treat KEV addition as the strongest available public signal of active exploitation, and it is the data feed that drives patch-prioritisation tooling in Qualys, Tenable, Rapid7, and most major vulnerability management platforms.
In the 30-day window covered by the first cyber-threats update (April 2026), CISA added nine CVEs including CVE-2026-3055 (CitrixBleed 3), CVE-2025-53521 (F5 BIG-IP APM, reclassified to CVSS 9.8 RCE), CVE-2009-0238 (17-year-old Microsoft Office RCE), CVE-2026-21643 (Fortinet SQL injection), and CVE-2026-32201 (SharePoint spoofing zero-day). In April 2026, 16 new CVEs were added, including three Cisco Catalyst SD-WAN Manager CVEs added on 20 April with a 3-day federal remediation Deadline, the shortest observed window in the current cycle.
A structurally significant pattern emerged across three KEV additions in twelve days in May 2026: CISA imposed federal compliance obligations before vendor patches were available. PAN-OS CVE-2026-0300 was added on 6 May with a 9 May federal Deadline, four days before Palo Alto's own patches shipped. Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) was added on 14 May with a 17 May Deadline, and Exchange Server CVE-2026-42897 was added on 15 May with a 29 May Deadline while Microsoft had not shipped a patch. The first instance read as forced by exploitation Velocity; the repeat reframes it as posture: CISA is willing to write a federal Deadline against an unpatchable flaw twice in twelve days.
The 1-3 June 2026 batch extended and sharpened the legacy-estate pattern. Oracle WebLogic CVE-2024-21182 (CVSS 7.5, patched January 2024) and Linux cgroups CVE-2022-0492 (patched 2022) were listed alongside near-fresh Magento CVE-2026-45247 (CVSS 9.8, patched 25 May) and Android CVE-2025-48595 (CVSS 8.4). Two of the four June entries predate 2025. Honeypots had recorded scans and payloads on WebLogic ports 7001/7002 since mid-May, delivering Cobalt Strike beacons and Sodinokibi ransomware; CISA set a 22 June Deadline, reflecting the scheduled-downtime cost of patching middleware, while the cgroups and Android entries carried 3-day deadlines because criminal exploitation moves faster. The pattern across updates confirms that KEV is functioning as a forcing function across legacy estates, not a zero-day alert service: the flaw that weaponises is the years-old patch nobody confirmed was applied.
For context, the catalogue's obligations have grown while the agency responsible for maintaining and enforcing them faces a proposed $707m CISA cut affecting 860 staff, a budget constraint that reduces the agency's capacity to sustain the advisory quality and frequency the KEV's signal value depends on.
The BOD 22-01 Deadline regime that governed the KEV catalogue since November 2021 was formally revoked on 10 June 2026 when CISA issued Binding Operational Directive 26-04. The replacement model assigns remediation windows across four tiers (3 days, 14 days, 60 days, and next upgrade cycle), calibrated against a four-dimension risk assessment covering exploitability, exposure, asset criticality, and observed threat actor behaviour, rather than a binary critical/non-critical split. The first KEV batch filed under the new regime landed on 23 June 2026: three Ubiquiti CVSS 10.0 chain CVEs were assigned to the top 3-day tier, validating that the shortest window still applies to the highest-severity actively-exploited flaws.
The catalogue passed approximately 1,627 entries by mid-June 2026, a Velocity of roughly two CVEs per day, while CISA faces a proposed $707m FY27 budget cut affecting around 860 staff. The in-flight Deadline ambiguity created by the transition (at least one window, for Arista equipment, was issued before 10 June under the revoked order's terms) is a live governance question that patches already in motion will have to navigate. The shift from fixed deadlines to tiered, evidence-based windows marks the most significant structural change to US mandatory patch policy since the catalogue's creation.
The 5-14 July window was the quietest fortnight the beat has tracked: only seven CVEs added, six in web software plus an 18-year-old Cisco IOS CSRF flaw, CVE-2008-4128, the oldest entry the catalogue has carried since monitoring began, taking the total to 1,638 entries. No headline vendor featured. Against the roughly two-a-day pace tracked through June, the slowdown is a possible early signal that BOD 26-04's risk-tiered triage is reshaping what gets listed, favouring depth of assessment over volume, though one quiet fortnight is not yet a confirmed trend.