Executive Summary

The U.S. CISA has issued a directive by adding four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signifying that each is under active attack by threat actors. This action mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these flaws to protect federal networks. The vulnerabilities impact products from SolarWinds, Microsoft, Notepad++, and Apple. CISA strongly recommends that all public and private sector organizations also prioritize patching these vulnerabilities to reduce their exposure to active threats.

Vulnerabilities Addressed

The four vulnerabilities added to the KEV catalog are:

1. CVE-2025-40536 - SolarWinds Web Help Desk (WHD)

   • Description: A security control bypass vulnerability that allows attackers to circumvent Cross-Site Request Forgery (CSRF) protections.
   • CVSS Score: 8.1 (High)
   • Impact: Successful exploitation could lead to unauthorized actions being performed with the privileges of a legitimate user.
   • Patch Deadline (FCEB): February 15, 2026

2. CVE-2024-43468 - Microsoft Configuration Manager

   • Description: A critical SQL injection vulnerability.
   • CVSS Score: 9.8 (Critical)
   • Impact: An unauthenticated remote attacker can achieve remote code execution on the server, potentially leading to a full compromise of the Configuration Manager site.
   • Patch Deadline (FCEB): March 5, 2026

3. CVE-2025-15556 - Notepad++

   • Description: A flaw in the WinGUp update mechanism that failed to perform an integrity check on downloaded updates.
   • CVSS Score: 7.7 (High)
   • Impact: This allows a man-in-the-middle attacker to push a malicious update, leading to a supply chain attack. This technique was attributed to the China-backed group Lotus Blossom.
   • Patch Deadline (FCEB): March 5, 2026

4. CVE-2026-20700 - Apple Operating Systems

   • Description: A memory corruption vulnerability exploited as a zero-day.
   • CVSS Score: 7.8 (High)
   • Impact: The flaw was used in targeted attacks to compromise Apple devices before a patch was available, likely leading to arbitrary code execution.
   • Patch Deadline (FCEB): March 5, 2026

Affected Products

• SolarWinds: Web Help Desk (WHD)
• Microsoft: Configuration Manager
• Notepad++: Versions with the vulnerable WinGUp updater.
• Apple: A wide range of products, including iOS, iPadOS, macOS, watchOS, tvOS, and visionOS.

Impact Assessment

The inclusion of these vulnerabilities in the KEV catalog indicates a high risk for all organizations, not just federal agencies. These are not theoretical weaknesses; they are being actively used in real-world attacks. Failure to patch could lead to a variety of negative outcomes, including unauthorized access, remote code execution, data breaches, and supply chain compromise. The Microsoft Configuration Manager flaw is particularly dangerous due to its critical CVSS score and potential for broad impact across an enterprise network.

Deployment Priority

• Critical: All four vulnerabilities should be treated as high-priority patching targets.
• Internet-Facing Systems: Any instances of SolarWinds WHD or Microsoft Configuration Manager exposed to the internet should be patched or taken offline immediately.
• Federal Agencies: Must adhere to the strict deadlines set by the Binding Operational Directive (BOD 22-01).
• All Other Organizations: Should follow CISA's guidance and patch as soon as possible, prioritizing systems based on their exposure and criticality.

Installation Instructions

Organizations must refer to the official security advisories from each vendor for specific patching instructions:

• SolarWinds: Follow guidance on the SolarWinds Trust Center.
• Microsoft: Apply the relevant security updates via Windows Update or the Microsoft Update Catalog.
• Notepad++: Update to the latest version of the application.
• Apple: Update all devices via the built-in Software Update mechanism.

Cyber Observables

To hunt for vulnerable systems, security teams can use the following observables: