Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
14JUL

BOD 26-04, a fortnight of triage

2 min read
08:46UTC

CISA added six exploited CVEs in the first fortnight under BOD 26-04's triage model, and let the Splunk and Ubiquiti deadlines pass without naming anyone non-compliant.

TechnologyAssessed
Key takeaway

Six exploited flaws landed in a fortnight under BOD 26-04, with no agency named non-compliant yet.

Six actively exploited vulnerabilities reached CISA's KEV catalogue of Known Exploited Vulnerabilities across three updates in this fortnight, roughly 0.86 additions a day, under the risk-tiered BOD 26-04 that replaced the fixed-deadline BOD 22-01 on 10 June . The first-ever Splunk KEV deadline and the triple-CVSS-10 Ubiquiti listing both passed with no public CISA naming of a non-compliant agency. 1

CISA lists a CVE, the public identifier for a disclosed software flaw, only once active exploitation is confirmed. Additions have slowed only modestly under a directive built to let agencies triage rather than patch every entry on a fixed clock, and the proposed FY27 CISA budget cut has not visibly dented catalogue growth. Triage changed the obligation, not the threat. Absence of a compliance report is not proof of enforcement, nor of its failure; the new model's teeth stay untested until CISA names someone.

Whether three unrelated crews cashing in three unrelated flaws in one fortnight marks a closing window between disclosure and exploitation or ordinary churn will not be settled by a fortnight's data. The two dated arcs, FortiBleed to Lynx and BlueHammer to SYSTEM access, are what carry the point for now.

Deep Analysis

In plain English

CISA is the US government's cyber-security agency, and it keeps a public list of software flaws it knows criminals are actively using, ordering federal agencies to fix each one by a set deadline. This fortnight it added six such flaws across three updates, working out to roughly one every day and a bit. Two earlier deadlines, for flaws in Splunk software and Ubiquiti networking gear, passed during this period, but unlike under the old rules, CISA did not publicly say whether any agency missed them. The new system, called BOD 26-04, replaced an older rule that used to name agencies that missed deadlines; supporters say private tracking avoids handing criminals a list of slow-patching targets, critics say it removes the pressure that used to get things fixed.

Deep Analysis
Root Causes

BOD 26-04's risk-tiered model, which replaced BOD 22-01's flat two-week deadline on 10 June, lets CISA compress deadlines for the worst internet-facing bugs, three days for the SharePoint flaw this fortnight, while giving lower-risk vulnerabilities more remediation time. The 0.86-a-day addition rate is the tiering functioning as intended, not evidence of a slowdown.

CISA's decision not to publicly name any non-compliant agency after the Splunk and Ubiquiti deadlines passed reflects a policy choice made when BOD 26-04 replaced 22-01: public naming under the old directive was criticised internally as creating a target list for adversaries, so the new directive tracks compliance privately instead.

What could happen next?
  • Meaning

    CISA's move away from public non-compliance naming under BOD 26-04 removes an accountability mechanism BOD 22-01 relied on, with no public data yet available on whether private tracking achieves comparable patch speed.

  • Risk

    Without public naming, oversight bodies such as Congress or the Government Accountability Office lose an early public signal for which federal agencies are falling behind on the worst vulnerabilities.

First Reported In

Update #9 · FortiBleed harvest linked to Lynx crew

CISA· 4 Jul 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.