Known Exploited Vulnerabilities
CISA's KEV catalogue of CVEs with confirmed active exploitation; 9 CVEs added in 30 days including CitrixBleed 3, F5 BIG-IP RCE, and a 17-year-old Office bug.
Last refreshed: 20 May 2026 · Appears in 1 active topic
If CISA imposes a federal patch deadline before a vendor has a fix, what is an agency actually supposed to do?
Timeline for Known Exploited Vulnerabilities
Mentioned in: Drupal SQL flaw hits PostgreSQL sites
Cybersecurity: Threats and DefencesListed CVE-2025-34291 and CVE-2026-34926 with a 4 June federal patch deadline
Cybersecurity: Threats and Defences: AI orchestration flaw joins CISA's KEVMentioned in: GitHub's own code cloned via add-on
Cybersecurity: Threats and DefencesMentioned in: Exchange repeats the CISA deadline-before-patch trap
Cybersecurity: Threats and DefencesMentioned in: UAT-8616 keeps Cisco SD-WAN under fire
Cybersecurity: Threats and Defences- What is CISA's Known Exploited Vulnerabilities catalogue?
- CISA's KEV catalogue lists CVEs with confirmed active exploitation. Federal agencies must patch KEV CVEs within set deadlines under Binding Operational Directive 22-01. In the first update window (April 2026), CISA added 9 CVEs including CitrixBleed 3, F5 BIG-IP RCE, and a 17-year-old Microsoft Office vulnerability.Source: CISA
- Does the CISA KEV list apply to private companies?
- CISA's KEV catalogue is mandatory only for Federal Civilian Executive Branch agencies. Private-sector organisations are not legally required to patch KEV CVEs but widely use KEV addition as the strongest available signal of active exploitation to prioritise their own patch programmes.Source: CISA BOD 22-01
- What was the shortest KEV remediation deadline in April 2026?
- Three Cisco Catalyst SD-WAN Manager CVEs added to KEV on 20 April 2026 carried a 3-day federal remediation deadline — the shortest window in the April 2026 additions, signalling CISA's assessment of high active-exploitation risk.Source: CISA KEV / April 2026
- What happens when CISA sets a KEV patch deadline before a vendor has shipped a fix?
- In May 2026, CISA did this three times in twelve days: PAN-OS CVE-2026-0300 (deadline 9 May, Palo Alto patches from 13 May), Cisco SD-WAN CVE-2026-20182 (deadline 17 May), and Exchange CVE-2026-42897 (deadline 29 May, Microsoft patch not yet shipped). Agencies must implement available mitigations and accept a documented non-compliance posture until the vendor patch ships.Source: CISA KEV / ED 26-03
- What was the shortest KEV remediation deadline in 2026?
- Three Cisco Catalyst SD-WAN Manager CVEs added to KEV on 20 April 2026 carried a 3-day federal remediation deadline, the shortest in the April cycle. In May 2026, Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) also carried a 3-day Emergency Directive deadline from CISA.Source: CISA KEV / April and May 2026
- Will CISA budget cuts affect the KEV catalogue?
- The Trump administration's FY27 budget proposes cutting CISA by $707m, affecting 860 staff. The KEV catalogue's signal quality and frequency depend on CISA's analyst capacity to monitor exploitation and write advisories. A materially reduced CISA would slow catalogue additions and reduce the advisory detail that private-sector patch teams rely on.Source: CISA budget proposal FY27
Background
The CISA Known Exploited Vulnerabilities (KEV) catalogue is the primary operational mechanism for communicating mandatory patch obligations to Federal Civilian Executive Branch (FCEB) agencies and urgency signals to private-sector organisations. The KEV catalogue was established under CISA's Binding Operational Directive 22-01 in November 2021. FCEB agencies must remediate KEV CVEs within specified windows: typically 14 days for non-critical and 2-7 days for critical, with Emergency Directives applying the shortest windows to the highest-severity active exploitation cases. Private-sector organisations are not bound by BOD 22-01 but treat KEV addition as the strongest available public signal of active exploitation, and it is the data feed that drives patch-prioritisation tooling in Qualys, Tenable, Rapid7, and most major vulnerability management platforms.
In the 30-day window covered by the first cyber-threats update (April 2026), CISA added nine CVEs including CVE-2026-3055 (CitrixBleed 3), CVE-2025-53521 (F5 BIG-IP APM, reclassified to CVSS 9.8 RCE), CVE-2009-0238 (17-year-old Microsoft Office RCE), CVE-2026-21643 (Fortinet SQL injection), and CVE-2026-32201 (SharePoint spoofing zero-day). In April 2026, 16 new CVEs were added, including three Cisco Catalyst SD-WAN Manager CVEs added on 20 April with a 3-day federal remediation deadline, the shortest observed window in the current cycle.
A structurally significant pattern has emerged across three KEV additions in twelve days in May 2026: CISA imposed federal compliance obligations before vendor patches were available. PAN-OS CVE-2026-0300 was added on 6 May with a 9 May federal deadline, four days before Palo Alto's own patches shipped. Cisco SD-WAN CVE-2026-20182 (CVSS 10.0) was added on 14 May with a 17 May deadline, and Exchange Server CVE-2026-42897 was added on 15 May with a 29 May deadline while Microsoft had not shipped a patch. The first instance read as forced by exploitation Velocity; the repeat reframes it as posture: CISA is willing to write a federal deadline against an unpatchable flaw twice in twelve days. For enterprise patch-management teams, this places BOD 22-01 in operational tension with its own remediation framework: a federal compliance obligation that no remediation step satisfies requires mitigation-plus-monitoring responses that the directive does not formally specify.
For context, the catalogue's obligations have grown while the agency responsible for maintaining and enforcing them faces a proposed $707m CISA cut affecting 860 staff, a budget constraint that reduces the agency's capacity to sustain the advisory quality and frequency the KEV's signal value depends on.