CISA adds seven KEVs including Defender flaws

CISA added seven vulnerabilities to its Known Exploited Vulnerabilities catalog on May 20, including two Microsoft Defender bugs, and followed with another update on May 21 that added Langflow and Trend Micro Apex One flaws. The agency said the additions were based on evidence of active exploitation. Under Binding Operational Directive 22-01, federal civilian executive branch agencies must remediate listed vulnerabilities by the published due dates. CISA also said organizations outside the federal government should use the catalog to prioritize patching because the list tracks vulnerabilities already being exploited in the wild. ### Which Microsoft Defender flaws were added on May 20? CISA’s May 20 alert listed CVE-2026-41091, a Microsoft Defender elevation-of-privilege vulnerability, and CVE-2026-45498, a Microsoft Defender denial-of-service vulnerability. The same alert said seven vulnerabilities were added in total that day, alongside five older Microsoft and Adobe entries dating from 2008 to 2010. (cisa.gov) The May 20 notice did not include technical exploitation details in the alert text. CISA said only that the vulnerabilities were added “based on evidence of active exploitation” and described such flaws as “frequent attack vectors for malicious cyber actors.” ### What changed in the May 21 catalog update? CISA’s catalog entry shows CVE-2026-34926, affecting Trend Micro Apex One on-premise, was added on May 21. (cisa.gov) The agency describes it as a directory traversal vulnerability that could let a pre-authenticated local attacker modify a server key table and inject malicious code for deployment to agents on affected installations. The same May 21 catalog update added CVE-2025-34291 in Langflow. (cisa.gov) CISA says the flaw is an origin validation error tied to an overly permissive CORS configuration and a refresh-token cookie set to `SameSite=None`, which could let a malicious webpage make authenticated cross-origin requests. The agency says that could allow arbitrary code execution and full system compromise through obtained tokens. (cisa.gov) ### What does a KEV addition actually trigger for agencies? BOD 22-01, which CISA issued in November 2021, makes remediation compulsory for federal executive branch departments and agencies covered by the directive. CISA says the directive created the KEV catalog as a living list of vulnerabilities that carry significant risk to the federal enterprise and requires agencies to remediate cataloged vulnerabilities by the due date. (cisa.gov) The directive applies to software and hardware on federal information systems managed on agency premises or hosted by third parties on an agency’s behalf. CISA says it determines whether to include a vulnerability in the catalog based on reliable evidence that the exploit is being actively used against public or private organizations. ### What are the due dates in this round? (cisa.gov) CISA’s catalog lists June 4, 2026 as the due date for the May 21 additions covering Trend Micro Apex One CVE-2026-34926 and Langflow CVE-2025-34291. The catalog excerpt also shows the standard agency action language: apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable. (cisa.gov) CISA’s May 20 alert says FCEB agencies must remediate the seven newly listed vulnerabilities by the due date, but the alert text shown in the notice does not spell out each deadline inline. Those deadlines are maintained in the catalog itself. ### Where should defenders look next? CISA maintains the KEV catalog on its website as the authoritative list of vulnerabilities known to be exploited in the wild, with entries sortable by date added, vendor and project. (cisa.gov) The catalog page says organizations should use it as an input to their vulnerability management prioritization framework. The next concrete step is in the catalog entries themselves: federal agencies covered by BOD 22-01 must work to the listed due dates, including June 4 for the Langflow and Trend Micro entries added on May 21. (cisa.gov) CISA said it will continue adding vulnerabilities that meet its criteria for active exploitation. (cisa.gov)