CISA Adds Four Actively Exploited Vulnerabilities to KEV Catalog, Mandating Federal Patching

CISA KEV Alert: Patch Now for Exploited Flaws in SolarWinds, Microsoft, Notepad++, and Apple

HIGH
February 17, 2026
4m read
Patch ManagementVulnerabilityRegulatory

Related Entities

Threat Actors

Lotus Blossom

Products & Tech

Notepad++ SolarWinds Web Help DeskMicrosoft Configuration Manager

CVE Identifiers

CVE-2025-40536
HIGH
CVSS:8.1
CVEDetails.com CVE.org
CVE-2024-43468
CRITICAL
CVSS:9.8
CVEDetails.com CVE.org
CVE-2025-15556
HIGH
CVEDetails.com CVE.org
CVE-2026-20700
HIGH
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1210Lateral Movement

Exploitation of Remote Services

T1574.001Persistence

DLL Search Order Hijacking

T1202Execution

Indirect Command Execution

Full Report

Executive Summary

The U.S. CISA has issued a directive by adding four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, signifying that each is under active attack by threat actors. This action mandates that Federal Civilian Executive Branch (FCEB) agencies remediate these flaws to protect federal networks. The vulnerabilities impact products from SolarWinds, Microsoft, Notepad++, and Apple. CISA strongly recommends that all public and private sector organizations also prioritize patching these vulnerabilities to reduce their exposure to active threats.

Vulnerabilities Addressed

The four vulnerabilities added to the KEV catalog are:

  1. CVE-2025-40536 - SolarWinds Web Help Desk (WHD)

    • Description: A security control bypass vulnerability that allows attackers to circumvent Cross-Site Request Forgery (CSRF) protections.
    • CVSS Score: 8.1 (High)
    • Impact: Successful exploitation could lead to unauthorized actions being performed with the privileges of a legitimate user.
    • Patch Deadline (FCEB): February 15, 2026

  2. CVE-2024-43468 - Microsoft Configuration Manager

    • Description: A critical SQL injection vulnerability.
    • CVSS Score: 9.8 (Critical)
    • Impact: An unauthenticated remote attacker can achieve remote code execution on the server, potentially leading to a full compromise of the Configuration Manager site.
    • Patch Deadline (FCEB): March 5, 2026

  3. CVE-2025-15556 - Notepad++

    • Description: A flaw in the WinGUp update mechanism that failed to perform an integrity check on downloaded updates.
    • CVSS Score: 7.7 (High)
    • Impact: This allows a man-in-the-middle attacker to push a malicious update, leading to a supply chain attack. This technique was attributed to the China-backed group Lotus Blossom.
    • Patch Deadline (FCEB): March 5, 2026

  4. CVE-2026-20700 - Apple Operating Systems

    • Description: A memory corruption vulnerability exploited as a zero-day.
    • CVSS Score: 7.8 (High)
    • Impact: The flaw was used in targeted attacks to compromise Apple devices before a patch was available, likely leading to arbitrary code execution.
    • Patch Deadline (FCEB): March 5, 2026

Affected Products

  • SolarWinds: Web Help Desk (WHD)
  • Microsoft: Configuration Manager
  • Notepad++: Versions with the vulnerable WinGUp updater.
  • Apple: A wide range of products, including iOS, iPadOS, macOS, watchOS, tvOS, and visionOS.

Impact Assessment

The inclusion of these vulnerabilities in the KEV catalog indicates a high risk for all organizations, not just federal agencies. These are not theoretical weaknesses; they are being actively used in real-world attacks. Failure to patch could lead to a variety of negative outcomes, including unauthorized access, remote code execution, data breaches, and supply chain compromise. The Microsoft Configuration Manager flaw is particularly dangerous due to its critical CVSS score and potential for broad impact across an enterprise network.

Deployment Priority

  • Critical: All four vulnerabilities should be treated as high-priority patching targets.
  • Internet-Facing Systems: Any instances of SolarWinds WHD or Microsoft Configuration Manager exposed to the internet should be patched or taken offline immediately.
  • Federal Agencies: Must adhere to the strict deadlines set by the Binding Operational Directive (BOD 22-01).
  • All Other Organizations: Should follow CISA's guidance and patch as soon as possible, prioritizing systems based on their exposure and criticality.

Installation Instructions

Organizations must refer to the official security advisories from each vendor for specific patching instructions:

  • SolarWinds: Follow guidance on the SolarWinds Trust Center.
  • Microsoft: Apply the relevant security updates via Windows Update or the Microsoft Update Catalog.
  • Notepad++: Update to the latest version of the application.
  • Apple: Update all devices via the built-in Software Update mechanism.

Cyber Observables

To hunt for vulnerable systems, security teams can use the following observables:

Type
service_name
Value
SolarWinds Web Help Desk
Description
Identify all instances of WHD and check their version numbers against the patched version.
Type
process_name
Value
ccmexec.exe
Description
Identify systems running the Microsoft Configuration Manager agent and trace back to the primary site server to check its patch level.
Type
file_name
Value
notepad++.exe
Description
Scan for installations of Notepad++ and verify their version. Pay special attention to the GUP.exe file in the updater subdirectory.
Type
log_source
Value
Apple MDM Logs
Description
Use Mobile Device Management (MDM) solutions to query the OS version of all managed Apple devices.

Timeline of Events

1
February 13, 2026
CISA adds the four vulnerabilities to its KEV catalog.
2
February 15, 2026
Deadline for FCEB agencies to patch the SolarWinds WHD vulnerability (CVE-2025-40536).
3
February 17, 2026
This article was published
4
March 5, 2026
Deadline for FCEB agencies to patch the Microsoft, Notepad++, and Apple vulnerabilities.

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

Applying vendor-supplied security updates is the primary and most effective mitigation for all four vulnerabilities.

Audit

M1047enterprise

Continuously auditing systems with vulnerability scanning and asset management tools is crucial for identifying unpatched systems that require remediation.

Timeline of Events

1
February 13, 2026

CISA adds the four vulnerabilities to its KEV catalog.

2
February 15, 2026

Deadline for FCEB agencies to patch the SolarWinds WHD vulnerability (CVE-2025-40536).

3
March 5, 2026

Deadline for FCEB agencies to patch the Microsoft, Notepad++, and Apple vulnerabilities.

Sources & References

Top 10 Cybersecurity News (Feb. 16, 2026): Microsoft 365 Admin Center Outage Investigated as Security Event, CISA Adds Multiple Exploited Vulnerabilities to KEV Catalog, Trojanized 7-Zip Installer Spreads Proxy Malware, and More
Innovate Cybersecurity (innovatecybersecurity.com)
U.S. CISA adds SolarWinds Web Help Desk, Notepad++, Microsoft Configuration Manager, and Apple devices flaws to its Known Exploited Vulnerabilities catalog
Security Affairs (securityaffairs.co)
CISA adds SolarWinds, Microsoft, Apple, Notepad++ vulnerabilities to KEV catalog
SC Media (scmagazine.com)

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

KEVCISApatch managementvulnerability managementSolarWindsMicrosoft

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.