Six actively exploited vulnerabilities reached CISA's KEV catalogue of Known Exploited Vulnerabilities across three updates in this fortnight, roughly 0.86 additions a day, under the risk-tiered BOD 26-04 that replaced the fixed-deadline BOD 22-01 on 10 June . The first-ever Splunk KEV deadline and the triple-CVSS-10 Ubiquiti listing both passed with no public CISA naming of a non-compliant agency. 1
CISA lists a CVE, the public identifier for a disclosed software flaw, only once active exploitation is confirmed. Additions have slowed only modestly under a directive built to let agencies triage rather than patch every entry on a fixed clock, and the proposed FY27 CISA budget cut has not visibly dented catalogue growth. Triage changed the obligation, not the threat. Absence of a compliance report is not proof of enforcement, nor of its failure; the new model's teeth stay untested until CISA names someone.
Whether three unrelated crews cashing in three unrelated flaws in one fortnight marks a closing window between disclosure and exploitation or ordinary churn will not be settled by a fortnight's data. The two dated arcs, FortiBleed to Lynx and BlueHammer to SYSTEM access, are what carry the point for now.
