CISA Expands KEV Catalog With 8 Active Exploits, April-May 2026 Patch Deadlines
Original source
CISA Adds 8 Exploited Flaws to KEV, Sets April-May 2026 Federal Deadlines
The Hacker News →CISA has added eight new actively-exploited vulnerabilities to its Known Exploited Vulnerabilities catalog, with federal civilian agencies facing mandatory remediation deadlines spanning April and May 2026. The additions signal ongoing exploitation activity across enterprise software, networking equipment, and widely-deployed platforms — the pattern consistent with previous KEV expansions driven by confirmed in-the-wild attack telemetry.
Under BOD 22-01, federal agencies must patch or mitigate each listed flaw by the specified date or discontinue use of the affected product. While the directive legally binds only federal entities, the KEV catalog functions as a de facto priority list for private-sector patch management, since inclusion confirms active exploitation rather than theoretical risk.
Organizations should cross-reference the eight additions against their asset inventory immediately. Vulnerabilities that reach KEV status have already cleared the threshold from proof-of-concept to operational attacker use, meaning exposure windows are measured against live threat activity rather than speculative timelines.
Read the full article
Continue reading at The Hacker News →This is an AI-generated summary. Read the original for the full story.