CISA Adds Seven Known Exploited Vulnerabilities to Catalog
CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, including decades-old flaws in Microsoft Windows and Adobe products, citing evidence of active exploitation.
CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. The list includes CVE-2008-4250 (Microsoft Windows buffer overflow), CVE-2009-1537 (Microsoft DirectX NULL byte overwrite), CVE-2009-3459 (Adobe Acrobat and Reader heap-based buffer overflow), CVE-2010-0249 and CVE-2010-0806 (Microsoft Internet Explorer use-after-free), and CVE-2026-41091 and CVE-2026-45498 (Microsoft Defender elevation of privilege and denial of service). These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.
Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
The inclusion of vulnerabilities dating back to 2008 and 2009 underscores the persistence of legacy software risks. Many organizations still run older versions of Windows, Internet Explorer, and Adobe Reader, which remain attractive targets for attackers. The addition of two Microsoft Defender flaws from 2026 shows that even modern security tools can harbor exploitable weaknesses.
CISA's KEV Catalog serves as a critical resource for prioritizing patching efforts. By mandating remediation for federal agencies and strongly recommending it for all organizations, CISA aims to reduce the attack surface exploited by cybercriminals and nation-state actors. Organizations should immediately check their asset inventories for affected software versions and apply available patches.
The seven newly added CVEs bring the total number of entries in the KEV Catalog to over 1,000. CISA updates the catalog regularly as new evidence of active exploitation emerges. Security teams are advised to subscribe to CISA alerts and integrate KEV data into their vulnerability management workflows to stay ahead of threats.