Known Exploited Vulnerabilities
CISA's KEV catalogue of CVEs with confirmed active exploitation; 9 CVEs added in 30 days including CitrixBleed 3, F5 BIG-IP RCE, and a 17-year-old Office bug.
Last refreshed: 17 April 2026 · Appears in 1 active topic
What happens to CISA's must-patch list if the agency loses 860 staff?
Timeline for Known Exploited Vulnerabilities
Mentioned in: CitrixBleed 3 lands on SAML broker
Cybersecurity: Threats and DefencesMentioned in: F5 reclassifies DoS bug to 9.8 RCE
Cybersecurity: Threats and DefencesMentioned in: 17-year-old Office RCE back on KEV
Cybersecurity: Threats and DefencesMentioned in: Trump proposes $707m CISA cut, 860 jobs
Cybersecurity: Threats and Defences- What is CISA's Known Exploited Vulnerabilities catalogue?
- CISA's KEV catalogue lists CVEs with confirmed active exploitation. Federal agencies must patch KEV CVEs within set deadlines under Binding Operational Directive 22-01. In 30 days ending April 2026, CISA added 9 CVEs including CitrixBleed 3, F5 BIG-IP RCE, and a 17-year-old Microsoft Office vulnerability.Source: CISA
- Does the CISA KEV list apply to private companies?
- CISA's KEV catalogue is mandatory only for Federal Civilian Executive Branch agencies. Private-sector organisations are not legally required to patch KEV CVEs but widely use KEV addition as the strongest available signal of active exploitation to prioritise their own patch programmes.Source: CISA BOD 22-01
Background
The CISA Known Exploited Vulnerabilities (KEV) catalogue is the primary operational mechanism for communicating mandatory patch obligations to Federal Civilian Executive Branch (FCEB) agencies and urgency signals to private-sector organisations. In the 30-day window covered by this update, CISA added nine CVEs including CVE-2026-3055 (CitrixBleed 3), CVE-2025-53521 (F5 BIG-IP APM, reclassified to CVSS 9.8 RCE), CVE-2009-0238 (17-year-old Microsoft Office RCE), CVE-2026-21643 (Fortinet SQL injection) and CVE-2026-32201 (SharePoint spoofing zero-day).
The KEV catalogue was established under CISA's Binding Operational Directive 22-01 in November 2021. FCEB agencies must remediate KEV CVEs within specified windows (typically 14 days for non-critical and 2–7 days for critical). Private-sector organisations are not bound by BOD 22-01 but treat KEV addition as the strongest available public signal of active exploitation. The KEV catalogue is the data feed that drives patch-prioritisation tooling in Qualys, Tenable, Rapid7 and most Major vulnerability management platforms.
For enterprise patch-management teams, the KEV's nine-CVE addition rate in 30 days, against the backdrop of a proposed $707m CISA cut, is the core tension: the catalogue's obligations are growing while the agency responsible for maintaining and enforcing them faces a proposed one-third budget reduction.