Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: cisa-kev (33 articles)Clear

SharePoint remote code execution flaw added to CISA KEV after active exploitation

CISA has added a SharePoint remote code execution flaw to its Known Exploited Vulnerabilities catalog after confirming active exploitation, months after Microsoft rated it less likely to be attacked. The bug (CVE-2026-45659, CVSS 8.8) comes from unsafe deserialization of untrusted data and lets an authenticated attacker with only Site Member permissions run code on a SharePoint server over the network, with low complexity and no user interaction. Microsoft patched it in May for SharePoint Server Subscription Edition, 2019, and Enterprise 2016. On-premises SharePoint is a repeated target because it holds sensitive data and is often internet-facing, and it has a long history of weaponized code execution flaws.

Check
Confirm the May 2026 SharePoint updates are applied to all on-premises servers, restrict internet exposure, and hunt for web shells, unexpected scheduled tasks, and unauthorized file changes on internet-facing SharePoint.
Affected
On-premises SharePoint Server Subscription Edition, 2019, and Enterprise 2016 missing the May 2026 patch (CVE-2026-45659); any authenticated user with Site Member permissions can run code remotely on the server.
Fix
Apply Microsoft's May 2026 SharePoint updates now, limit SharePoint to trusted networks or a VPN, tighten privileged access, and run a compromise assessment on internet-facing servers given confirmed exploitation.

Windows Defender BlueHammer flaw now used by ransomware gangs for SYSTEM access

CISA has updated its Known Exploited Vulnerabilities catalog to warn that ransomware gangs are now exploiting BlueHammer, a Microsoft Defender privilege-escalation flaw. The bug (CVE-2026-33825) lets a local attacker who already has a foothold escalate to SYSTEM by abusing Defender's file-remediation logic, giving them access to password hashes and the control needed to disable defenses and prepare systems for encryption. It was leaked with proof-of-concept code by a researcher in early April as a protest over Microsoft's disclosure process, exploited as a zero-day, then patched on April 14. It cannot be used for remote compromise on its own, but it strengthens attackers after initial access.

Check
Confirm the April 2026 Microsoft Defender update is applied across all Windows systems, and review endpoint logs for local privilege escalation, suspicious local-account access, and attempts to dump or read password hashes.
Affected
Windows systems missing the April 2026 Defender patch (CVE-2026-33825); after gaining initial access, attackers use the flaw to reach SYSTEM privileges, dump password hashes, and disable defenses ahead of ransomware.
Fix
Ensure the Microsoft Defender update is installed everywhere, prioritize systems exposed to phishing or stolen-credential access, and monitor for privilege-escalation behavior, since this flaw is now part of active ransomware playbooks.

PTC Windchill flaw exploited for remote code execution on manufacturing systems

Attackers are actively exploiting a critical flaw in PTC Windchill and FlexPLM, product lifecycle management software widely used across automotive, aerospace, defense, and manufacturing to store designs, engineering data, and intellectual property. The bug (CVE-2026-12569) is an unsafe deserialization issue that lets an unauthenticated attacker run code remotely by sending a crafted request. PTC patched it in mid-June, but has since reported heightened activity, with attackers deploying JSP web shells for command execution and data theft. CISA added it to its Known Exploited Vulnerabilities catalog, the first-ever PTC product to be listed, with a federal deadline of June 28. PTC has published indicators of compromise.

Check
Inventory PTC Windchill and FlexPLM instances and versions, restrict internet exposure of the login endpoint, and hunt for the JSP web shells and indicators of compromise PTC published.
Affected
Organizations running unpatched PTC Windchill or FlexPLM (CVE-2026-12569), especially internet-facing instances; manufacturers in automotive, aerospace, and defense risk remote code execution, intellectual-property theft, and supply-chain compromise.
Fix
Apply PTC's patches for your Windchill or FlexPLM version immediately, restrict the login endpoint to trusted networks, deploy the published IOCs, and check for web shells before assuming systems are clean.

Ubiquiti UniFi and Lantronix flaws now exploited; CISA sets June 26 deadline

CISA has confirmed active exploitation of four critical flaws in Ubiquiti UniFi OS and Lantronix EDS5000 devices, adding them to its Known Exploited Vulnerabilities catalog with a June 26 deadline for federal agencies. Three UniFi OS bugs (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910), each rated 10.0, can be chained for unauthenticated remote code execution and root; attackers were seen creating rogue admin accounts. The Lantronix flaw (CVE-2025-67038) is an unauthenticated root command injection in the EDS5000 serial console server. Ubiquiti patched UniFi OS Server in version 5.0.8, and Lantronix in firmware 2.2.0.0R1. Compromised network appliances let attackers pivot deep into internal networks.

Check
Inventory Ubiquiti UniFi OS consoles and gateways and any Lantronix EDS5000 device servers, confirm their firmware versions, and review logs for unexpected admin accounts or commands, especially on internet-reachable management interfaces.
Affected
UniFi OS devices before Server version 5.0.8 (CVE-2026-34908, CVE-2026-34909, CVE-2026-34910) and Lantronix EDS5000 on firmware 2.1.0.0R3 (CVE-2025-67038); unauthenticated attackers can reach root and pivot inward.
Fix
Update UniFi OS to 5.0.8 or later and Lantronix EDS5000 to firmware 2.2.0.0R1 before the June 26 deadline, and restrict device management interfaces to trusted networks until patched.

Splunk Enterprise flaw now exploited, added to CISA must-patch list

A critical Splunk Enterprise flaw disclosed earlier this month is now being exploited in the wild, and CISA has added it to its known-exploited list with a June 21 federal patch deadline. The bug (CVE-2026-20253, rated 9.8) is a missing-authentication issue in a PostgreSQL sidecar service: an unauthenticated, network-reachable attacker can create or truncate arbitrary files on the Splunk host, which can cascade into log corruption, broken monitoring, and remote code execution. Both Splunk and Resecurity have confirmed active exploitation, and a public proof-of-concept and Nuclei template exist. Because Splunk underpins many SOC and SIEM operations, a compromise can blind defenders.

Check
Identify Splunk Enterprise instances on 10.2 before 10.2.4 or 10 before 10.0.7, check whether the PostgreSQL sidecar endpoint is network-reachable, and review logs for path-traversal and unexpected PostgreSQL connections.
Affected
Splunk Enterprise 10.2 versions before 10.2.4 and 10 versions before 10.0.7 (CVE-2026-20253); instances whose PostgreSQL sidecar endpoint is reachable from untrusted networks are at highest risk.
Fix
Patch to Splunk Enterprise 10.2.4 or 10.0.7 immediately, or disable the PostgreSQL sidecar service as a temporary mitigation. Then run forensic triage for file tampering before assuming systems are clean.

SolarWinds Serv-U flaw exploited to crash file-transfer servers, now in CISA KEV

CISA has warned that attackers are actively exploiting CVE-2026-28318, a high-severity SolarWinds Serv-U denial-of-service flaw, and added it to the Known Exploited Vulnerabilities catalog. Serv-U is SolarWinds' Windows and Linux managed-file-transfer and FTP software. The flaw is an uncontrolled-resource-consumption weakness: specially crafted POST requests using Content-Encoding: deflate crash the Serv-U service without authentication, in low-complexity attacks needing no user interaction. SolarWinds shipped Serv-U 15.5.4 Hotfix 1 and advised admins who cannot patch to restrict access and block POST requests containing content-encoding. Shodan tracks over 12,000 exposed Serv-U servers (Shadowserver around 3,100). FCEB agencies must patch by June 19 under BOD 22-01.

Check
Inventory SolarWinds Serv-U servers, especially internet-exposed ones (Shodan shows 12,000+). Confirm Serv-U 15.5.4 Hotfix 1 is applied. Monitor for crashes and crafted deflate POST requests.
Affected
SolarWinds Serv-U MFT/FTP servers before 15.5.4 Hotfix 1. Unauthenticated, low-complexity DoS via POST requests using Content-Encoding: deflate. Over 12,000 instances exposed online per Shodan.
Fix
Apply Serv-U 15.5.4 Hotfix 1. If patching must wait, restrict access to known addresses and block POST requests containing content-encoding. FCEB agencies must remediate by June 19.

Google June Android update fixes 124 flaws including exploited Framework zero-day CVE-2025-48595 - also added to CISA KEV same day

Google has released the June 2026 Android security patches addressing 124 vulnerabilities, including CVE-2025-48595, a high-severity Android Framework flaw under limited, targeted exploitation. Local attackers can abuse it to gain code execution and escalate privileges on Android 14 or later. Google fixed 18 critical vulnerabilities this cycle across System, Framework, and Qualcomm closed-source components; the most severe is a critical Framework flaw enabling remote privilege escalation with no user interaction. Two patch levels shipped (2026-06-01 and 2026-06-05). CISA added CVE-2025-48595 to its KEV catalog the same day. Pixel devices get updates immediately; other vendors typically lag. Similar Android Framework flaws have historically been abused by commercial spyware.

Check
Inventory Android fleet by version and patch level. Confirm devices show the 2026-06-05 patch level. Prioritize Android 14+ devices for CVE-2025-48595; push updates via MDM where possible.
Affected
Android 14 and later unpatched against the June 2026 update. CVE-2025-48595 is under limited targeted exploitation; high-interest individuals face the greatest risk from likely-spyware abuse.
Fix
Apply the June 2026 Android update (2026-06-05 patch level). Non-Pixel users: pressure OEMs for timely rollout. FCEB agencies must remediate CVE-2025-48595 per CISA KEV deadline.

CISA adds 4-year-old Linux kernel cgroups container-escape CVE-2022-0492 to KEV after active exploitation evidence

CISA has added CVE-2022-0492 to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. The four-year-old Linux kernel flaw is an improper-authentication issue in the cgroups v1 release_agent feature that can be abused for container escape and privilege escalation to root on the host. It is well known among container-security researchers as a path to breaking out of misconfigured containers lacking AppArmor/SELinux or seccomp restrictions. Its appearance on KEV signals active in-the-wild abuse, likely in cloud and container environments. FCEB agencies must remediate by the BOD 22-01 deadline; all organizations running container workloads on older kernels should patch and verify hardening immediately.

Check
Inventory container hosts running kernels unpatched against CVE-2022-0492. Check for containers running without AppArmor/SELinux or seccomp confinement, which makes the release_agent escape exploitable.
Affected
Linux hosts on older kernels with the cgroups v1 release_agent flaw, especially containers lacking AppArmor/SELinux or seccomp restrictions. Active exploitation now confirmed via CISA KEV listing.
Fix
Patch host kernels. Enforce seccomp and AppArmor/SELinux on all containers. Drop CAP_SYS_ADMIN where unneeded. FCEB agencies must remediate by the CISA KEV deadline.

CISA adds Oracle WebLogic Server CVE-2024-21182 to KEV after active exploitation evidence - FCEB patch deadline set

CISA has added CVE-2024-21182, an unspecified vulnerability in Oracle WebLogic Server, to its Known Exploited Vulnerabilities catalog based on evidence of active exploitation. WebLogic is a widely deployed Java EE application server that frequently sits on internet-facing infrastructure, making it a recurring target for initial access and cryptomining campaigns. Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV-listed flaws by the assigned deadline, and CISA urges all organizations to prioritize patching. Oracle addressed the flaw in a prior Critical Patch Update; organizations running unpatched WebLogic instances should apply the relevant CPU and audit for signs of exploitation immediately.

Check
Inventory Oracle WebLogic Server instances, especially internet-facing ones, and confirm the relevant Oracle Critical Patch Update addressing CVE-2024-21182 is applied. Audit logs for exploitation indicators.
Affected
Oracle WebLogic Server instances unpatched against CVE-2024-21182. Internet-facing deployments are at highest risk; WebLogic is a recurring target for initial access and cryptomining.
Fix
Apply the relevant Oracle Critical Patch Update immediately. FCEB agencies must remediate by the CISA KEV deadline. Remove WebLogic admin consoles from public internet exposure.

Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently

Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.

Check
Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
Affected
PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
Fix
Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.