Skip to content
You can now search across every topic, entity and event.What's new
Known Exploited Vulnerabilities
ConceptUS

Known Exploited Vulnerabilities

CISA's catalogue of CVEs confirmed as actively exploited; mandatory patch deadlines for US federal agencies.

Last refreshed: 14 July 2026 · Appears in 1 active topic

Key Question

Is the 2022 patch or the 2024 patch the one breaking into networks right now?

Timeline for Known Exploited Vulnerabilities

#1014 Jul

A quiet KEV fortnight, then a 2008 bug

Cybersecurity: Threats and Defences
#94 Jul

Mentioned in: BOD 26-04, a fortnight of triage

Cybersecurity: Threats and Defences
#91 Jul
#91 Jul

Mentioned in: SharePoint patch clock runs out today

Cybersecurity: Threats and Defences
#929 Jun

Mentioned in: Cisco tops a five-vendor KEV batch

Cybersecurity: Threats and Defences
View full timeline →
Common Questions
Has the pace of new CISA KEV additions slowed down?
Yes. The 5-14 July 2026 window added only seven CVEs, the quietest fortnight tracked, against a roughly two-a-day pace through June, a possible early sign BOD 26-04's risk-tiered triage is changing what gets listed.Source: event
What is the oldest vulnerability in CISA's KEV catalogue?
CVE-2008-4128, an 18-year-old Cisco IOS CSRF flaw, added in the 5-14 July 2026 window, the oldest entry the catalogue has carried since the beat began tracking it.Source: event
Does the CISA KEV catalogue apply to private companies?
BOD 26-04 and its predecessor BOD 22-01 impose mandatory remediation deadlines only on US Federal Civilian Executive Branch agencies. Private-sector organisations are not legally bound but widely treat KEV addition as the strongest available signal of active exploitation.Source: event

Background

The CISA Known Exploited Vulnerabilities (KEV) catalogue is the primary operational mechanism for communicating mandatory patch obligations to Federal Civilian Executive Branch (FCEB) agencies and urgency signals to private-sector organisations. The KEV catalogue was established under CISA's Binding Operational Directive 22-01 in November 2021. FCEB agencies must remediate KEV CVEs within specified windows: typically 14 days for non-critical and 2-7 days for critical, with Emergency Directives applying the shortest windows to the highest-severity active exploitation cases. Private-sector organisations are not bound by BOD 22-01 but treat KEV addition as the strongest available public signal of active exploitation, and it is the data feed that drives patch-prioritisation tooling in Qualys, Tenable, Rapid7, and most major vulnerability management platforms.

In the 30-day window covered by the first cyber-threats update (April 2026), CISA added nine CVEs including CVE-2026-3055 (CitrixBleed 3), CVE-2025-53521 (F5 BIG-IP APM, reclassified to CVSS 9.8 RCE), CVE-2009-0238 (17-year-old Microsoft Office RCE), CVE-2026-21643 (Fortinet SQL injection), and CVE-2026-32201 (SharePoint spoofing zero-day). In April 2026, 16 new CVEs were added, including three Cisco Catalyst SD-WAN Manager CVEs added on 20 April with a 3-day federal remediation Deadline, the shortest observed window in the current cycle.

A structurally significant pattern emerged across three KEV additions in twelve days in May 2026: CISA imposed federal compliance obligations before vendor patches were available. PAN-OS CVE-2026-0300 was added on 6 May with a 9 May federal Deadline, four days before Palo Alto's own patches shipped. Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) was added on 14 May with a 17 May Deadline, and Exchange Server CVE-2026-42897 was added on 15 May with a 29 May Deadline while Microsoft had not shipped a patch. The first instance read as forced by exploitation Velocity; the repeat reframes it as posture: CISA is willing to write a federal Deadline against an unpatchable flaw twice in twelve days.

The 1-3 June 2026 batch extended and sharpened the legacy-estate pattern. Oracle WebLogic CVE-2024-21182 (CVSS 7.5, patched January 2024) and Linux cgroups CVE-2022-0492 (patched 2022) were listed alongside near-fresh Magento CVE-2026-45247 (CVSS 9.8, patched 25 May) and Android CVE-2025-48595 (CVSS 8.4). Two of the four June entries predate 2025. Honeypots had recorded scans and payloads on WebLogic ports 7001/7002 since mid-May, delivering Cobalt Strike beacons and Sodinokibi ransomware; CISA set a 22 June Deadline, reflecting the scheduled-downtime cost of patching middleware, while the cgroups and Android entries carried 3-day deadlines because criminal exploitation moves faster. The pattern across updates confirms that KEV is functioning as a forcing function across legacy estates, not a zero-day alert service: the flaw that weaponises is the years-old patch nobody confirmed was applied.

For context, the catalogue's obligations have grown while the agency responsible for maintaining and enforcing them faces a proposed $707m CISA cut affecting 860 staff, a budget constraint that reduces the agency's capacity to sustain the advisory quality and frequency the KEV's signal value depends on.

The BOD 22-01 Deadline regime that governed the KEV catalogue since November 2021 was formally revoked on 10 June 2026 when CISA issued Binding Operational Directive 26-04. The replacement model assigns remediation windows across four tiers (3 days, 14 days, 60 days, and next upgrade cycle), calibrated against a four-dimension risk assessment covering exploitability, exposure, asset criticality, and observed threat actor behaviour, rather than a binary critical/non-critical split. The first KEV batch filed under the new regime landed on 23 June 2026: three Ubiquiti CVSS 10.0 chain CVEs were assigned to the top 3-day tier, validating that the shortest window still applies to the highest-severity actively-exploited flaws.

The catalogue passed approximately 1,627 entries by mid-June 2026, a Velocity of roughly two CVEs per day, while CISA faces a proposed $707m FY27 budget cut affecting around 860 staff. The in-flight Deadline ambiguity created by the transition (at least one window, for Arista equipment, was issued before 10 June under the revoked order's terms) is a live governance question that patches already in motion will have to navigate. The shift from fixed deadlines to tiered, evidence-based windows marks the most significant structural change to US mandatory patch policy since the catalogue's creation.

The 5-14 July window was the quietest fortnight the beat has tracked: only seven CVEs added, six in web software plus an 18-year-old Cisco IOS CSRF flaw, CVE-2008-4128, the oldest entry the catalogue has carried since monitoring began, taking the total to 1,638 entries. No headline vendor featured. Against the roughly two-a-day pace tracked through June, the slowdown is a possible early signal that BOD 26-04's risk-tiered triage is reshaping what gets listed, favouring depth of assessment over volume, though one quiet fortnight is not yet a confirmed trend.

More questions
How many CVEs are in the CISA Known Exploited Vulnerabilities catalogue?
Approximately 1,627 CVEs as of mid-June 2026, growing at roughly two entries per day since the catalogue launched in November 2021.Source: event
What replaced BOD 22-01 for CISA KEV patch deadlines?
CISA replaced BOD 22-01 with BOD 26-04 on 10 June 2026. The new directive uses a four-tier risk model (3 days, 14 days, 60 days, or next upgrade cycle) based on exploitability, exposure, asset criticality, and threat actor behaviour.Source: event
What happens when CISA sets a KEV patch deadline before a vendor has shipped a fix?
In May 2026, CISA did this three times in twelve days: PAN-OS CVE-2026-0300 (Deadline 9 May, Palo Alto patches from 13 May), Cisco SD-WAN CVE-2026-20182 (Deadline 17 May), and Exchange CVE-2026-42897 (Deadline 29 May, Microsoft patch not yet shipped). Agencies must implement available mitigations and accept a documented non-compliance posture until the vendor patch ships.Source: CISA KEV / ED 26-03
What was the shortest KEV remediation deadline in 2026?
Three Cisco Catalyst SD-WAN Manager CVEs added to KEV on 20 April 2026 carried a 3-day federal remediation Deadline, the shortest in the April cycle. In May 2026, Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) also carried a 3-day Emergency Directive Deadline from CISA.Source: CISA KEV / April and May 2026
Will CISA budget cuts affect the KEV catalogue?
The Trump administration's FY27 budget proposes cutting CISA by $707m, affecting 860 staff. The KEV catalogue's signal quality and frequency depend on CISA's analyst capacity to monitor exploitation and write advisories. A materially reduced CISA would slow catalogue additions and reduce the advisory detail that private-sector patch teams rely on.Source: CISA budget proposal FY27
What is CISA's Known Exploited Vulnerabilities catalogue?
CISA's KEV catalogue lists CVEs with confirmed active exploitation. Federal agencies must patch KEV CVEs within set deadlines under Binding Operational Directive 22-01. It is the primary public signal of active exploitation used by private-sector patch-prioritisation teams worldwide.Source: CISA
Are the vulnerabilities in CISA's KEV catalogue mostly new or old?
A significant share are years old. The June 2026 batch included CVE-2022-0492 (Linux cgroups, four years old) and CVE-2024-21182 (Oracle WebLogic, patched January 2024). A 17-year-old Microsoft Office bug was added in the April 2026 window. KEV is a forcing function across legacy estates, not a zero-day service.Source: CISA KEV
What was the shortest KEV remediation deadline in April 2026?
Three Cisco Catalyst SD-WAN Manager CVEs added to KEV on 20 April 2026 carried a 3-day federal remediation Deadline — the shortest window in the April 2026 additions, signalling CISA's assessment of high active-exploitation risk.Source: CISA KEV / April 2026
Source Material