CISA Adds Seven New Vulnerabilities to 'Must-Patch' KEV Catalog

Executive Summary

On May 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) updated its Known Exploited Vulnerabilities (KEV) catalog, adding seven new vulnerabilities that are confirmed to be under active exploitation by malicious actors. In accordance with Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities by a specified deadline to protect federal networks. While the specific details of the seven CVEs were not provided in the source material, their addition to this high-priority list signals an urgent and direct threat. CISA strongly advises all public and private sector organizations to review the KEV catalog and prioritize the patching of these vulnerabilities to reduce their exposure to ongoing attack campaigns.

Vulnerability Details

The source articles do not specify the seven CVEs added on May 20, 2026. However, the context provided mentions other vulnerabilities added to the KEV catalog in May 2026, which illustrates the types of flaws being targeted:

CVE-2026-42897: A critical cross-site scripting (XSS) vulnerability in Microsoft Exchange Server.
SimpleHelp vulnerabilities: Flaws being used in ransomware campaigns.
Samsung and D-Link vulnerabilities: Flaws being leveraged for botnet creation and other attacks.

The addition of seven new vulnerabilities at once indicates that CISA is observing multiple, concurrent attack campaigns leveraging a diverse set of unpatched software.

Affected Systems

The affected systems correspond to the products associated with the seven unspecified CVEs. Organizations must cross-reference the KEV catalog with their asset inventories to identify vulnerable systems. The primary entities affected by the directive are U.S. FCEB agencies.

Exploitation Status

By definition, every vulnerability in the KEV catalog has confirmed active exploitation. This is the sole criterion for inclusion. This means threat actors are not just in possession of a proof-of-concept; they are actively using these vulnerabilities to compromise systems in real-world environments.

Impact Assessment

The impact of failing to patch KEV vulnerabilities is high. Active exploitation can lead to system compromise, data breaches, ransomware deployment, and integration into botnets. For FCEB agencies, failure to comply with BOD 22-01 can result in censure and increased risk to federal data and operations. For private organizations, ignoring the KEV list means willingly accepting a much higher level of risk, as it is a clear guide to what attackers are currently using for initial access and intrusion.

Cyber Observables — Hunting Hints

Without knowing the specific CVEs, hunting advice must be general but can be focused on the outcomes of exploitation:

Hunt for new services: Look for new services or processes running on servers that are not part of the baseline configuration. This is a common persistence mechanism after exploitation.
Monitor for anomalous network connections: Search for connections from critical servers (like Exchange) to unusual external IP addresses, which could indicate a C2 channel has been established.
Analyze authentication logs: Look for a surge in failed logins followed by a success from an unusual source, which can indicate a brute-force or credential-stuffing attack that may precede exploitation.

Detection Methods

Vulnerability Scanning: The most direct detection method is to run authenticated vulnerability scans against the environment and specifically check for the presence of the newly added KEVs.
Threat Intelligence Integration: Integrate the CISA KEV feed (available in machine-readable formats) directly into your SIEM or vulnerability management platform to trigger automated alerts and tickets when a new KEV is present in your environment.
EDR/NDR: Endpoint and Network Detection and Response tools can identify post-exploitation activity even if the initial exploit is missed. Look for alerts related to lateral movement, credential dumping, or suspicious script execution.

Remediation Steps

Prioritize and Patch: The primary remediation is to apply the vendor-supplied patches for the seven new vulnerabilities immediately. The KEV catalog provides a clear priority list; these vulnerabilities should be at the top.
Review Asset Inventory: Ensure your asset inventory is accurate and complete. You cannot patch what you do not know you have.
Apply Workarounds if Necessary: If a patch cannot be deployed immediately, implement any vendor-supplied workarounds or mitigations, such as disabling a vulnerable service or restricting access via firewall rules.
Assume Breach: For critical, internet-facing systems, if patching was delayed, it is prudent to assume breach and hunt for signs of compromise.

The addition of seven vulnerabilities to the KEV catalog underscores the necessity of a highly responsive software update process. Organizations must treat the KEV catalog not as a list of suggestions, but as an incident response driver. The recommended countermeasure is to operationalize the KEV feed. This involves more than just subscribing to email alerts. Security teams should use the machine-readable JSON feed provided by CISA and integrate it directly with their vulnerability management and ticketing systems. This automation should create high-priority, non-deferrable tickets assigned to asset owners the moment a KEV-listed vulnerability is detected in the environment. The remediation SLA for these tickets must align with CISA's deadlines. This transforms vulnerability management from a routine, often slow process into an agile, threat-driven function capable of responding to the real-world actions of adversaries.

CISA Adds Seven Known Exploited Vulnerabilities to KEV Catalog