Executive Summary

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog, adding two new, currently undisclosed vulnerabilities. The action, taken on January 7, 2026, signifies that CISA possesses credible evidence that these flaws are being actively exploited in the wild. Under Binding Operational Directive (BOD) 22-01, U.S. Federal Civilian Executive Branch (FCEB) agencies are mandated to remediate these vulnerabilities by a set due date. While the directive is specific to federal agencies, CISA strongly advises all organizations to use the KEV catalog as a primary input for their vulnerability management prioritization, as these flaws represent clear and present dangers.

Vulnerability Details

As of the time of this report, the specific CVE identifiers and technical details of the two newly added vulnerabilities have not been publicly detailed in the initial alert. Their addition to the KEV catalog is based on intelligence confirming active exploitation by threat actors. The KEV catalog entry for each vulnerability will typically include the vendor, product, vulnerability name, a brief description, and the remediation due date for federal agencies.

Affected Systems

The affected products and vendors are not specified in the summary alert but will be listed in the official KEV catalog entry. Organizations should consult the catalog directly for this information.

Exploitation Status

CRITICAL: Both vulnerabilities are confirmed to be under active exploitation. This means that threat actors have developed working exploits and are using them in real-world attacks. Any organization with vulnerable systems is at immediate risk of compromise.

Impact Assessment

The impact of exploitation depends on the nature of the vulnerabilities. However, flaws added to the KEV catalog are typically those that allow for significant unauthorized access, such as remote code execution or privilege escalation. A successful exploit could lead to initial access for ransomware deployment, data theft, or espionage. The mandate for federal agencies to patch underscores the high-risk nature of these vulnerabilities.

Detection Methods

• Vulnerability Scanning: The most direct method for detection is to use vulnerability management tools and scanners that incorporate the KEV catalog feed. Run authenticated scans against all assets to identify instances of the vulnerable software.
• Asset Inventory: Maintain a comprehensive and up-to-date software and hardware asset inventory. This allows for rapid searching to determine if and where the affected products are deployed in the environment.
• Threat Hunting: Once details of the vulnerabilities and their exploitation methods are released, security teams should proactively hunt for Indicators of Compromise (IOCs) and TTP-based indicators associated with the attacks.

Remediation Steps

1. Prioritize and Patch: The primary action is to treat these vulnerabilities as a top priority. Federal agencies must adhere to the deadline specified in the KEV entry. All other organizations should patch as soon as possible, following a risk-based approach that prioritizes internet-facing and critical systems. This is a direct application of M1051 - Update Software.
2. Review CISA Guidance: Continuously monitor the KEV catalog and any associated CISA advisories for updated information, including IOCs and mitigation guidance.
3. Apply Workarounds if Necessary: If a patch is not yet available or cannot be immediately deployed, implement any temporary workarounds or mitigations recommended by the vendor or CISA.
4. Verify Remediation: After applying patches, run follow-up scans to verify that the vulnerability has been successfully remediated across all identified systems.