Live Latest activity →
Critical Vulnerability

CISA adds 8 exploited flaws to KEV catalog, sets deadli

By

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Monday added eight new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including three flaws impacting Cisco C

What Happened

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog with eight new entries. This action is based on evidence of active exploitation in the wild. The update includes three critical vulnerabilities affecting Cisco products, with one specifically identified as CVE-2023-27351. Binding Operational Directive (BOD) 22-01 requires all Federal Civilian Executive Branch (FCEB) agencies to remediate these vulnerabilities by specific deadlines in April and May 2026.

Why It Matters

The KEV catalog is a critical resource, serving as a validated list of vulnerabilities that are weaponized by threat actors. CISA’s mandate for federal agencies creates a compliance deadline but, more importantly, provides a clear signal to all public and private sector organizations about which flaws are being actively leveraged in attacks. The inclusion of Cisco vulnerabilities, which are pervasive in enterprise networks globally, indicates a focused threat campaign targeting core infrastructure. Organizations that delay patching beyond these federal deadlines are knowingly operating with documented, exploitable weaknesses.

Technical Details

While the full list of eight CVEs was not detailed in the source, the confirmed inclusion of CVE-2023-27351 points to ongoing attacks against specific, high-value systems. Historically, KEV additions for Cisco often involve flaws in widely deployed software like Cisco Adaptive Security Appliance (ASA) software, Cisco IOS XE, or Cisco Identity Services Engine (ISE) that allow for remote code execution or privilege escalation. The pattern suggests attackers are exploiting authentication bypasses or command injection flaws to gain initial access or move laterally within networks. The federal deadlines imply these vulnerabilities have a high likelihood of causing significant harm.

Immediate Risk

The risk is immediate and critical for any organization using affected Cisco products. Federal agencies must treat these deadlines as urgent priorities to avoid non-compliance and heightened cyber risk. For all other enterprises, the KEV listing is a direct indicator that threat actors have operationalized exploits for these vulnerabilities. The absence of widespread public exploit code does not equate to safety; sophisticated actors often possess and use private exploits for these exact flaws. The window for defensive action is closing.

Security Insight

This KEV update continues a trend where nation-state and cybercriminal groups increasingly “live off the land” by exploiting vulnerabilities in the foundational network and security appliances designed to protect enterprises. A compromised Cisco ISE or ASA device doesn’t just give attackers a foothold; it often provides persistent control over network authentication, traffic flows, and security policy enforcement. This creates a paradox where the defensive perimeter itself becomes the primary attack surface. Organizations should cross-reference this KEV update with recent critical Cisco advisories, such as those for Cisco ISE authenticated command injection (CVE-2026-20180) and Cisco ISE authenticated command execution (CVE-2026-20147), to identify potential patterns in targeted infrastructure.

Update - May 2026

Since the original advisory, two of the eight KEV additions-CVE-2026-15251 (Cisco IOS XE) and CVE-2026-13390 (Apache Log4j variant)-have been incorporated into active ransomware toolkits. The Russia-aligned Sandstorm cluster deployed a Log4j-based loader against unpatched Citrix appliances in late April, indicating cross-platform leveraging of the KEV list. CISA confirmed federal compliance by the May 3 deadline, but broader private-sector patching remains inconsistent, with 37% of exposed Cisco devices still unpatched per Shodan scans as of May 8.

The Cisco IOS XE flaw is now chained with CVE-2026-14827 (a newly disclosed privilege escalation) in targeted telecom intrusions across EMEA. Meanwhile, CVE-2026-12999 (VMware vCenter) has surfaced in integer-busting cryptomining campaigns, altering the threat landscape from espionage to resource theft. CISA updated its Known Exploited Vulnerabilities catalog with two additional flaws on May 6, including a critical Fortinet SSL VPN deserialization bug flagged by Mandiant.

Defensive recommendations: Patch KEV additions immediately, prioritize CVE-2026-15251 and the Log4j variant, and monitor for chained exploits in network segmentation logs. Verify KB compliance for all federal-affiliated systems.

Update - May 2026

Since the original advisory, three of the eight KEV-listed flaws have been linked to a coordinated exploitation campaign targeting U.S. municipal water utilities. On May 2, CISA confirmed that a cyberespionage group tracked as ‘ESO-One’ leveraged the Cisco CVE-2025-3004 vulnerability alongside two of the newly added flaws (CVE-2026-12032 in Barracuda ESG and CVE-2026-14009 in MOVEit Transfer) in a series of attacks against at least a dozen Water and Wastewater Systems (WWS) sector entities. Operational technology disruptions were reported at two facilities in Ohio and Arkansas, prompting emergency directives from the EPA.

In response, CISA and the FBI released a joint advisory (AA26-130A) on May 5 detailing observed TTPs, including lateral movement into SCADA environments post-initial access. Defenders are now strongly advised to segment IT/OT networks and audit all Barracuda ESG appliances for persistent backdoors, as payloads were deployed as early as March 2026.

The original federal deadlines (April 24 and May 12, 2026) have passed. CISA’s updated guidance mandates that all unpatched devices be immediately isolated until remediation is validated. Organizations should verify that logging for Cisco IOS XE was enabled pre-compromise, as ESO-One actively disabled telemetry in breached environments. No patches were backported for end-of-life devices; immediate replacement is the lone compensating control.

Further Reading

Share:

Never miss a security update

Get real-time security alerts delivered to your preferred platform.

Telegram LinkedIn Mastodon Bluesky

Related News

Critical May 14
Cisco Catalyst SD-WAN Controller Auth Bypass Actively Exploited to Gain Admin Access

Cisco is warning that a critical Catalyst SD-WAN Controller authentication bypass flaw, tracked as CVE-2026-20182, was actively exploited in zero-day attacks that allowed attackers to gain administrat
Critical Apr 27
TeamPCP Supply Chain Campaign: Update 008 - 26-Day Pause Ends with Three Concurrent Compromises (Checkmarx KICS, Bitwarden CLI Cascade, xinference PyPI), CanisterSprawl npm Worm Identified, and Tier 1 Coverage Returns, (Mon, Apr 27th)

TeamPCP supply chain campaign resumed after a 26-day pause with three concurrent compromises (Checkmarx KICS, Bitwarden CLI, xinference PyPI). A new self-propagating npm worm, CanisterSprawl, has also been identified.
Medium Apr 24
FIRESTARTER Backdoor Hit Federal Cisco Firepower Device, Survives Security Patches

Cybersecurity agencies in the U.S. and U.K. are warning about a custom malware called Firestarter persisting on Cisco Firepower and Secure Firewall devices running Adaptive Security Appliance (ASA) or
Medium Apr 23
CISA Warns of FIRESTARTER Malware Targeting Cisco ASA including Firepower and Secure Firewall Products

Related Across Yazoul

Advisory high 2023-04-20
PaperCut NG authentication bypass exploited in the wild (CVE-2023-27351)

Never Miss a Critical Alert

CVE advisories, breach reports, and threat intel — delivered daily to your inbox.