Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
4JUL

A quiet KEV fortnight, then a 2008 bug

2 min read
11:00UTC

CISA's Known Exploited Vulnerabilities catalogue added seven low-profile CVEs between 5 and 14 July, capped by an 18-year-old Cisco IOS flaw.

TechnologyDeveloping
Key takeaway

A quiet KEV fortnight is ambiguous: a genuine exploitation lull or a triage doctrine, not yet separable.

CISA's Known Exploited Vulnerabilities (KEV) catalogue, the US register of flaws confirmed under active exploitation, added seven CVEs between 5 and 14 July, none from a headline enterprise-security vendor 1. Six sit in web software: four Joomla extensions, the AI-app builder Langflow, and Adobe ColdFusion, with no Cisco, Fortinet, Microsoft or Ivanti entry among them. The seventh breaks the pattern: CVE-2008-4128, an 18-year-old cross-site request forgery (CSRF) flaw in Cisco IOS, added on Monday 13 July.

The catalogue stood at 1,638 entries on 14 July, up from 1,585 at the end of April, roughly 53 additions in ten weeks 2. April alone added 16 in 13 days. CVE-2008-4128 is the oldest KEV entry this beat has tracked, extending the ancient-revival thread that ran through a 17-year-old Office bug in April .

Two readings fit the slowdown, and a single fortnight cannot separate them. Either confirmed active exploitation genuinely eased over the summer, or BOD 26-04, the risk-tiered directive that replaced patch-everything rules in June , is already reshaping what gets listed and how fast. The fortnight-of-triage note two weeks ago raised the same question. KEV feeds patch prioritisation in tools like Qualys, Tenable and Rapid7, so any editorial shift behind the listings propagates into every enterprise treating the feed as ground truth. Ten weeks is too short to credit a doctrine shift, so this stays a hypothesis to watch.

Deep Analysis

In plain English

CISA, the US government's cyber-security agency, keeps a public list called the Known Exploited Vulnerabilities catalogue: software and hardware flaws that criminals are actually using in real attacks, rather than theoretical weaknesses. This fortnight was quiet: only seven new entries, six in ordinary web software. The odd one out was an 18-year-old bug in Cisco's router software, first found in 2008, only now confirmed as being actively exploited, which means some Cisco routers out there are still running software old enough to vote.

Deep Analysis
Root Causes

CISA lists a flaw on the KEV catalogue once there is evidence of active exploitation, not at the point of disclosure. CVE-2008-4128 sat off the catalogue for eighteen years because nobody had evidence it was being exploited in the wild.

Its addition this fortnight means that evidence now exists, most likely against unsupported, end-of-life Cisco IOS devices that were never going to receive the 2008 patch through a normal vendor update cycle.

First Reported In

Update #10 · One operator worked both ransomware brands

CISA· 14 Jul 2026
Read original
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.