Alerts

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 15 May 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-42897 Microsoft Exchange Server Cross-Site Scripting Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the BOD 22-01 Fact Sheet for more information.

Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 14 May 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-20182 Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Note: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlined in Emergency Directive 26-03: Mitigate Vulnerabilities in Cisco SD-WAN Systems and Supplemental Direction ED 26-03: Hunt and Hardening Guidance for Cisco SD-WAN Systems. Adhere to the applicable Binding Operational Directive (BOD) 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 08 May 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-42208 BerriAI LiteLLM SQL Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 07 May 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-6973 Ivanti Endpoint Manager Mobile (EPMM) Improper Input Validation Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 06 May 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-0300 Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 01 May 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-31431 Linux Kernel Incorrect Resource Transfer Between Spheres Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 30 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-41940 WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Tue, 28 Apr 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2024-1708 ConnectWise ScreenConnect Path Traversal Vulnerability
CVE-2026-32202 Microsoft Windows Protection Mechanism Failure Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Four Known Exploited Vulnerabilities to Catalog

CISA — Fri, 24 Apr 26 12:00:00 +0000

CISA has added four new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2024-7399 Samsung MagicINFO 9 Server Path Traversal Vulnerability
CVE-2024-57726 SimpleHelp Missing Authorization Vulnerability
CVE-2024-57728 SimpleHelp Path Traversal Vulnerability
CVE-2025-29635 D-Link DIR-823X Command Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 23 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-39987 Marimo Remote Code Execution Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 22 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-33825 Microsoft Defender Insufficient Granularity of Access Control Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Supply Chain Compromise Impacts Axios Node Package Manager

CISA — Mon, 20 Apr 26 12:00:00 +0000

The Cybersecurity and Infrastructure Security Agency (CISA) is releasing this alert to provide guidance in response to the software supply chain compromise of the Axios node package manager (npm).¹ Axios is an HTTP client for JavaScript that developers commonly use in Node.js and browser environments.

On March 31, 2026, two npm packages for versions axios@1.14.1 and axios@0.30.4 of Axios npm injected the malicious dependency plain-crypto-js@4.2.1 that downloads multi-stage payloads from cyber threat actor infrastructure, including a remote access trojan.²

CISA urges organizations to implement the following recommendations to detect and remediate a potential compromise: 

Monitor and review code repositories, continuous integration/continuous delivery (CI/CD) pipelines, and developer machines that ran npm install or npm update with the compromised Axios version.
- Search for cached versions of affected dependencies in artifact repositories and dependency management tools. Pin npm package dependency versions to known safe releases.

If compromised dependencies are identified, revert the environment to a known safe state.

Downgrade to axios@1.14.0 or axios@0.30.3 and delete node_modules/plain-crypto-js/.

Rotate/revoke credentials that may have been exposed on affected systems or pipelines (e.g., version control system [VCS] tokens, CI/CD secrets, cloud keys, npm tokens, and Secure Shell [SSH] keys). For ephemeral CI jobs, rotate all secrets injected into the compromised run.

Monitor for unexpected child processes and anomalous network behavior, specifically during npm install or npm update.
- Block and monitor outbound connections to Sfrclak[.]com domains.
- Conduct continuous indicator searches and endpoint detection and response (EDR) hunts to confirm no indicators of compromise (IOCs) remain; ensure no further egress to the command and control (C2).

In addition, CISA recommends organizations using Axios npm:

Mandate phishing-resistant multifactor authentication (MFA) on all developer accounts, especially for critical platforms.

Set ignore-scripts=true in the .npmrc configuration file, which prevents potentially malicious scripts from executing during npm install packages.

Set min-release-age=7 in the .npmrc configuration file to only install packages that have been published for at least seven days, which helps avoid installation of packages that may not be completely vetted or are potentially malicious.

Establish and maintain a baseline of normal execution behavior for tools that use Axios.
- Alert when a dependency behaves differently (e.g., building containers, enabling shells, executing commands) and trace outbound network activity for anomalous connections.

See the following resources for additional guidance on this compromise:

GitHub: Post Mortem: axios npm supply chain compromise #10636

Microsoft: Mitigating the Axios npm supply chain compromise

StepSecurity: axios Compromised on npm - Malicious Versions Drop Remote Access Trojan

npm Docs: Securing your code

Socket: Supply Chain Attack on Axios Pulls Malicious Dependency from npm

Disclaimer

The information in this report is being provided “as is” for informational purposes only. CISA does not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favoring by CISA.

Notes

¹ “Post Mortem: axios npm supply chain compromise,” axios GitHub, Issue #10636, March 31, 2026, https://github.com/axios/axios/issues/10636.

² “Mitigating the Axios npm supply chain compromise,” Microsoft Threat Intelligence and Microsoft Defender Security Research Team, April 1, 2026, https://www.microsoft.com/en-us/security/blog/2026/04/01/mitigating-the-axios-npm-supply-chain-compromise/.

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

CISA — Mon, 20 Apr 26 12:00:00 +0000

CISA has added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2023-27351 PaperCut NG/MF Improper Authentication Vulnerability
CVE-2024-27199 JetBrains TeamCity Relative Path Traversal Vulnerability
CVE-2025-2749 Kentico Xperience Path Traversal Vulnerability
CVE-2025-32975 Quest KACE Systems Management Appliance (SMA) Improper Authentication Vulnerability
CVE-2025-48700 Synacor Zimbra Collaboration Suite (ZCS) Cross-site Scripting Vulnerability
CVE-2026-20122 Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability
CVE-2026-20128 Cisco Catalyst SD-WAN Manager Storing Passwords in a Recoverable Format Vulnerability
CVE-2026-20133 Cisco Catalyst SD-WAN Manager Exposure of Sensitive Information to an Unauthorized Actor Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 16 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-34197 Apache ActiveMQ Improper Input Validation Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA — Tue, 14 Apr 26 12:00:00 +0000

CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2009-0238 Microsoft Office Remote Code Execution Vulnerability
CVE-2026-32201 Microsoft SharePoint Server Improper Input Validation Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds Seven Known Exploited Vulnerabilities to Catalog

CISA — Mon, 13 Apr 26 12:00:00 +0000

CISA has added seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2012-1854 Microsoft Visual Basic for Applications Insecure Library Loading Vulnerability
CVE-2020-9715 Adobe Acrobat Use-After-Free Vulnerability
CVE-2023-21529 Microsoft Exchange Server Deserialization of Untrusted Data Vulnerability
CVE-2023-36424 Microsoft Windows Out-of-Bounds Read Vulnerability
CVE-2025-60710 Microsoft Windows Link Following Vulnerability
CVE-2026-21643 Fortinet SQL Injection Vulnerability
CVE-2026-34621 Adobe Acrobat and Reader Prototype Pollution Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 08 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-1340 Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Mon, 06 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-35616 - Fortinet FortiClient EMS Improper Access Control Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 02 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-3502 TrueConf Client Download of Code Without Integrity Check Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 01 Apr 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-5281 Google Dawn Use-After-Free Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Mon, 30 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-3055 Citrix NetScaler Out-of-Bounds Read Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Fri, 27 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-53521 F5 BIG-IP Remote Code Execution Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 26 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-33634 Aqua Security Trivy Embedded Malicious Code Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 25 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-33017 Langflow Code Injection Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds Five Known Exploited Vulnerabilities to Catalog

CISA — Fri, 20 Mar 26 12:00:00 +0000

CISA has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-31277 Apple Multiple Products Buffer Overflow Vulnerability
CVE-2025-32432 Craft CMS Code Injection Vulnerability
CVE-2025-43510 Apple Multiple Products Improper Locking Vulnerability
CVE-2025-43520 Apple Multiple Products Classic Buffer Overflow Vulnerability
CVE-2025-54068 Laravel Livewire Code Injection Vulnerability

These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Thu, 19 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-20131 Cisco Secure Firewall Management Center (FMC) Software and Cisco Security Cloud Control (SCC) Firewall Management Deserialization of Untrusted Data Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

CISA — Wed, 18 Mar 26 12:00:00 +0000

CISA is aware of malicious cyber activity targeting endpoint management systems of U.S. organizations based on the March 11, 2026 cyberattack against U.S.-based medical technology firm Stryker Corporation, which affected their Microsoft environment.¹ To defend against similar malicious cyber activity, CISA urges organizations to harden endpoint management system configurations using the recommendations and resources provided in this alert. CISA is conducting enhanced coordination with federal partners, including the Federal Bureau of Investigation (FBI), to identify additional threats and determine mitigation actions.

To defend against similar malicious activity that misuses legitimate endpoint management software, CISA urges organizations to implement Microsoft’s newly released best practices for securing Microsoft Intune; the principles of these recommendations can be applied to Intune and more broadly to other endpoint management software:

Use principles of least privilege when designing administrative roles.
- Leverage Microsoft Intune’s role-based access control (RBAC) to assign the minimum permissions necessary to each role for completing day-to-day operations—permissions include what actions the role can take, and what users and devices it can apply that action to.
Enforce phishing-resistant multi-factor authentication (MFA) and privileged access hygiene.
- Use Microsoft Entra ID capabilities (including Conditional Access, MFA, risk signals, and privileged access controls) to block unauthorized access to privileged actions in Microsoft Intune.
Configure access policies to require Multi Admin Approval in Microsoft Intune.
- Set up policies that require a second administrative account’s approval to allow changes to sensitive or high-impact actions (such as device wiping), applications, scripts, RBAC, configurations, etc.

Additionally, CISA recommends reviewing the following resources to strengthen defenses against similar malicious cyber activity:

Microsoft resources:
- For recommendations on securing Microsoft Intune, see Best practices for securing Microsoft Intune.
- For guidance on implementing Multi Admin Approval in Microsoft Intune, see Use Access policies to implement Multi Admin Approval.
- For recommendations on configuring Microsoft Intune using zero trust principles, see Configure Microsoft Intune for increased security.
- For guidance on implementing Microsoft Intune RBAC policies, see Role-based access control (RBAC) with Microsoft Intune.
- For guidance on deploying Privileged Identity Management (PIM) across Microsoft Intune, Entra ID, and other Microsoft software, see Plan a Privileged Identity Management deployment.
CISA resources:
- For guidance on implementing phishing-resistant multifactor authentication (MFA), see Implementing Phishing-Resistant MFA.

Disclaimer

Acknowledgements

Microsoft and Stryker contributed to this alert.

Notes

1 For updates from Stryker on the incident, see “Customer Updates: Stryker Network Disruption,” Stryker, last modified March 15, 2026, https://www.stryker.com/us/en/about/news/2026/a-message-to-our-customers-03-2026.html.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 18 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-66376 Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Wed, 18 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2026-20963 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

CISA Adds One Known Exploited Vulnerability to Catalog

CISA — Mon, 16 Mar 26 12:00:00 +0000

CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.

CVE-2025-47813 Wing FTP Server Information Disclosure Vulnerability

This type of vulnerability is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise.

Alerts

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA Adds Four Known Exploited Vulnerabilities to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

​​Supply Chain Compromise Impacts Axios Node Package Manager​

Disclaimer

Notes

CISA Adds Eight Known Exploited Vulnerabilities to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA Adds Seven Known Exploited Vulnerabilities to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds Five Known Exploited Vulnerabilities to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Urges Endpoint Management System Hardening After Cyberattack Against US Organization

Disclaimer

Acknowledgements

Notes

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

CISA Adds One Known Exploited Vulnerability to Catalog

Supply Chain Compromise Impacts Axios Node Package Manager