CISA adds three actively exploited CVEs to Known Exploited Vulnerabilities list

CISA’s Known Exploited Vulnerabilities list is basically the government’s “drop what you’re doing and patch this” board. When a bug lands there, CISA is saying two things at once — attackers are already using it in the wild, and federal agencies now have a hard deadline to fix or mitigate it. This week, the catalog picked up fresh entries including a Linux kernel privilege-escalation flaw, while the broader list keeps filling with bugs in the remote-management and edge software that attackers love most. (cisa.gov) ### What actually changed? The concrete move was CISA adding CVE-2026-31431 to the KEV catalog on May 1, 2026 after evidence of active exploitation. In the catalog, CISA describes it as a Linux kernel vulnerability that could allow privilege escalation — in plain English, a way for an attacker who already has some foothold to climb to higher permissions. Federal Civilian Executive Branch agencies got a due date of May 22, 2026 to remediate or otherwise follow vendor guidance. (cisa.gov) ### Why does KEV matter more than a normal CVE? A CVE by itself just says a flaw exists. KEV says the flaw is being used. That distinction matters because security teams drown in vulnerability backlogs, and most bugs never get exploited at scale. CISA’s whole point with KEV is prioritization — not every severe bug is urgent, but a bug tied to real-world attacks jumps the queue immediately. Under BOD 22-01, federal agencies are required to fix listed items by the deadline CISA sets. (cisa.gov) ### What does this Linux bug let attackers do? Privilege escalation is the ugly middle step in a lot of real intrusions. An attacker lands as a low-privilege user, then uses a kernel flaw to become root. Root on Linux is game over for that machine — full control, persistence, credential theft, lateral movement, the works. The catch is that this is usually not the first move in the chain. It’s the second move that turns a breach from annoying into catastrophic. (cisa.gov) ### Was the user’s list of three bugs right? Not cleanly. The CISA material I could verify directly shows CVE-2026-31431 in a May 1 alert and in the live KEV catalog. I could also verify that CVE-2024-1708 — the ConnectWise ScreenConnect directory-traversal/authentication-bypass mess from 2024 — is a bug CISA has repeatedly pointed to as a real exploitation example. But I could not verify, from CISA pages I found, that CISA added exactly those same three CVEs together on May 8, 2026, or that a May 12 deadline applied to that exact trio. (cisa.gov) ### Why do MSP tools keep showing up here? Because remote monitoring and management tools are force multipliers for attackers. Hit one MSP platform and you may get access to dozens or hundreds of downstream customers. That’s why CISA has spent time warning about products like SimpleHelp, and why older bugs in tools like ScreenConnect keep staying relevant long after disclosure. These aren’t just admin tools — they’re trusted pipes into many networks at once. (cisa.gov) ### So what should defenders do with this? Treat KEV as a live priority feed, not a reference document. First, check whether any listed product is actually in your environment. Second, patch or apply the vendor mitigation on the timetable CISA gives — or faster if the product sits on the edge or is used for remote administration. Third, hunt for signs of exploitation before patching, not just after. If attackers are already using the bug, patching closes the door but doesn’t evict anyone already inside. (cisa.gov) ### What’s the bigger pattern? The pattern is that CISA’s list keeps rewarding boring security discipline. The most dangerous bugs are often not exotic zero-days in consumer apps. They’re privilege-escalation flaws, firewall bugs, and remote-management software weaknesses in places defenders can’t afford to leave exposed. KEV is useful because it cuts through the noise and tells teams where the real fire is. (cisa.gov) ### Bottom line The durable takeaway is simple — if a vulnerability lands in KEV, the debate is over. Someone is already weaponizing it. In this case, the clearest verified new entry is CVE-2026-31431 in the Linux kernel, and the surrounding context points to the same old lesson: attacker-favorite infrastructure and admin tools still dominate the highest-priority patch queue. (cisa.gov)