All news with #cisa kev tag

⚠️ CISA has added CVE-2026-20131 to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The vulnerability involves deserialization of untrusted data in Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management. This class of flaw is a common attack vector and poses significant risk. CISA reminds Federal Civilian Executive Branch agencies to remediate per BOD 22-01 and urges all organizations to prioritize timely remediation as part of normal vulnerability management.

⚠️ CISA has added CVE-2026-20963 — a Microsoft SharePoint deserialization of untrusted data vulnerability — to its Known Exploited Vulnerabilities (KEV) Catalog after observing active exploitation. This class of flaw is a frequent attack vector that can allow malicious actors to execute code or manipulate data when untrusted input is deserialized. CISA reminds Federal Civilian Executive Branch agencies that BOD 22-01 requires remediation by the assigned due dates and strongly urges all organizations to prioritize timely fixes.

🔔 CISA added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog — CVE-2025-66376, a cross-site scripting (XSS) issue in Synacor Zimbra Collaboration Suite (ZCS). Evidence indicates active exploitation, prompting inclusion under BOD 22-01 guidance. While the binding directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize remediation. CISA will continue to update the KEV Catalog as new exploited vulnerabilities are identified.

⚠️ CISA warned federal agencies to secure Wing FTP Server instances after adding CVE-2025-47813 to its catalog of actively exploited vulnerabilities. The flaw allows low-privileged actors to trigger error messages that expose the full local installation path and can be chained with an already-exploited RCE (CVE-2025-47812). The vendor released fixes in Wing FTP Server v7.4.4 in May 2025; organizations should apply updates or vendor mitigations immediately.

🛡️ CISA has added CVE-2025-47813, an information disclosure vulnerability affecting Wing FTP Server, to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. This class of flaw is frequently abused by threat actors and poses a notable risk to the federal enterprise. Under BOD 22-01, Federal Civilian Executive Branch agencies are required to remediate KEV items by the specified due dates. CISA urges all organizations to prioritize timely remediation as part of standard vulnerability management.

⚠️n8n's critical expression-injection flaw, tracked as CVE-2025-68613 (CVSS 9.9), has been added to CISA's Known Exploited Vulnerabilities catalog following evidence of active exploitation. The issue allows an authenticated attacker to perform remote code execution via the workflow expression evaluation system, risking full instance compromise. n8n issued fixes in December 2025 (1.120.4, 1.121.1, 1.122.0), but thousands of instances remain exposed online.

⚠️ CISA warns that an authentication-bypass bug in Ivanti Endpoint Manager (CVE-2026-1603), patched Feb. 9, is being actively exploited to leak stored credentials. The agency also added related SolarWinds and VMware defects to its Known Exploited Vulnerabilities catalog. CISA updated an emergency directive for Cisco SD‑WAN flaws (CVE-2026-20127, CVE-2022-20775), citing signs of long-running exploitation and imposing new reporting and log-submission requirements for federal agencies, including a March 26 deadline.

🔔 CISA has ordered federal agencies to patch an actively exploited remote code execution flaw in n8n, tracked as CVE-2025-68613, which permits authenticated attackers to run arbitrary code with the n8n process's privileges. The n8n team released n8n v1.122.0 in December to address the issue and urges immediate upgrades; temporary mitigations include restricting workflow creation/editing, limiting OS privileges, and reducing network access. Shadowserver reports over 40,000 exposed instances globally, prompting a March 25 remediation deadline for federal civilian agencies under BOD 22-01.

⚠️ CISA added CVE-2025-68613 to its Known Exploited Vulnerabilities (KEV) Catalog after evidence of active exploitation involving n8n. The issue is classified as an Improper Control of Dynamically-Managed Code Resources vulnerability and poses elevated risk to enterprise environments. CISA reminds Federal Civilian Executive Branch agencies that BOD 22-01 mandates remediation of KEV entries and strongly urges all organizations to prioritize timely patching and mitigation to reduce exposure.

⚠️ CISA has added three vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog: CVE-2021-22054 (Omnissa Workspace ONE SSRF), CVE-2025-26399 (SolarWinds Web Help Desk insecure deserialization), and CVE-2026-1603 (Ivanti Endpoint Manager authentication bypass). BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate listed KEV entries by the specified deadlines. CISA strongly urges all organizations to prioritize timely patching and mitigation to reduce exposure to active exploitation.

🛡️ CISA has ordered federal agencies to patch three iOS vulnerabilities targeted by the Coruna exploit kit, which bundles multiple chains for at least 23 iOS flaws. Google researchers say Coruna provides PAC bypass, sandbox and PPL escapes, WebKit remote code execution and kernel elevation. Exploits are mitigated on recent iOS releases and can be blocked by private browsing or Lockdown Mode. CISA added the flaws to its KEV list and set a March 26 remediation deadline under BOD 22-01, urging organizations to prioritize fixes.

🔒 CISA added two critical vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog affecting Hikvision and Rockwell Automation. CVE-2017-7921 (CVSS 9.8) is an improper authentication flaw that can enable privilege escalation and exposure of sensitive information in multiple Hikvision products. CVE-2021-22681 (CVSS 9.8) involves insufficiently protected credentials in Studio 5000 Logix Designer, RSLogix 5000 and Logix Controllers, which can allow an unauthorized network user to bypass verification and modify controller configuration or application code. SANS has detected exploit attempts targeting vulnerable Hikvision cameras; there are no public reports of active attacks exploiting the Rockwell issue. Federal civilian agencies are required to update to supported software by March 26, 2026 under BOD 22-01, and CISA urges all organizations to prioritize remediation of KEV-listed vulnerabilities.

🔔 CISA has added five vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. The new entries affect Hikvision, Rockwell, and multiple Apple products and include CVE-2017-7921, CVE-2021-22681, CVE-2021-30952, CVE-2023-41974, and CVE-2023-43000. Under BOD 22-01 Federal Civilian Executive Branch agencies must remediate listed CVEs by the required due dates; CISA strongly urges all organizations to prioritize timely remediation to reduce exposure to common attack vectors.

⚠️ CISA added two vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on March 3, 2026, after observing evidence of active exploitation. The entries include CVE-2026-21385, a memory corruption issue impacting multiple Qualcomm chipsets, and CVE-2026-22719, a command injection vulnerability affecting Broadcom VMware Aria Operations. Under BOD 22-01, Federal Civilian Executive Branch agencies must remediate cataloged flaws by the required due dates; CISA also strongly urges all organizations to prioritize timely remediation. CISA will continue to add vulnerabilities that meet its KEV criteria.

🔒 CISA warns that the RESURGE implant can remain latent on Ivanti Connect Secure devices, evading detection by awaiting a specific inbound TLS connection rather than beaconing to a command-and-control server. The 32-bit Linux Shared Object libdsupgrade.so hooks the web process, inspects TLS packets using a CRC32 fingerprint, and authenticates attackers with a forged Ivanti certificate. The agency notes related tools like liblogblock.so for log tampering and a kernel extraction script, and it urges administrators to use updated IoCs and hashes to discover and remove dormant infections.

⚠️ Government security agencies have urged immediate patching of a critical zero-day, CVE-2026-20127, impacting Cisco Catalyst SD-WAN Controller and SD-WAN Manager. The authentication bypass can grant unauthenticated remote attackers administrative privileges, NETCONF access and the ability to alter SD-WAN configuration. Authorities including CISA and Five Eyes partners require urgent patching and threat hunting; Cisco released fixes on 25 February 2026.

⚠️CISA has added two Cisco SD‑WAN vulnerabilities (CVE‑2022‑20775 and CVE‑2026‑20127) to the Known Exploited Vulnerabilities (KEV) Catalog based on evidence of active exploitation. These affect Cisco Catalyst SD‑WAN components and include a path traversal and an authentication bypass that can enable unauthorized access. Under BOD 22‑01, FCEB agencies must remediate by required due dates; CISA urges all organizations to prioritize timely mitigation.

🚨 CISA has added a recently disclosed FileZen vulnerability, CVE-2026-25108 (CVSS v4 8.7), to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. The issue is an OS command injection that allows an authenticated user to execute arbitrary commands via specially crafted HTTP requests. Affected versions include 4.2.1–4.2.8 and 5.0.0–5.0.10; Soliton advises updating to 5.0.11 or later and changing passwords if exploitation is suspected. Federal agencies must remediate by March 17, 2026.

⚠️ CISA added CVE-2026-25108, a FileZen OS command injection vulnerability affecting Soliton Systems K.K., to its Known Exploited Vulnerabilities (KEV) Catalog following evidence of active exploitation. Command injection is a frequent and high-risk vector that can enable remote code execution and system compromise. Under BOD 22-01 federal agencies must remediate KEV entries by required deadlines; CISA strongly urges all organizations to prioritize remediation, apply vendor fixes or mitigations, and monitor for related activity.

⚠️ CISA has added two Roundcube webmail vulnerabilities — CVE-2025-49113 and CVE-2025-68461 — to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. CVE-2025-49113 (CVSS 9.9) is an authenticated deserialization flaw allowing remote code execution via an unvalidated _from parameter and was fixed in June 2025. CVE-2025-68461 (CVSS 7.2) is an XSS triggered by the SVG animate tag and was patched in December 2025 in Roundcube releases 1.6.12 and 1.5.12. Researchers reported weaponization within 48 hours and an exploit was offered for sale; FCEB agencies must remediate by March 13, 2026.