CISA Flags Four Actively Exploited CVEs, Gives Federal Agencies Until May 2026
Original source
CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline
The Hacker News →CISA has added four vulnerabilities to its Known Exploited Vulnerabilities catalog after confirming active exploitation in the wild. Federal civilian agencies now have a hard deadline in May 2026 to patch or mitigate the listed flaws under Binding Operational Directive 22-01, which treats KEV entries as mandatory remediation targets rather than advisories.
The KEV catalog is the de facto signal that a vulnerability has crossed from theoretical to operational risk — exploitation is no longer hypothetical, and adversaries are using it now. Inclusion typically reflects telemetry from incident response, threat intel partners, or vendor disclosures rather than CVSS scoring alone.
While the directive only legally binds federal agencies, private-sector defenders generally treat KEV additions as priority-one patching work. The May 2026 deadline gives agencies a defined window, but the practical implication is immediate: any organization running affected software should assume opportunistic scanning and exploitation are already underway.
Read the full article
Continue reading at The Hacker News →This is an AI-generated summary. Read the original for the full story.