CISA flags seven exploited vulnerabilities for remediation
Two are 2026 Microsoft Defender flaws in endpoint protection tools federal agencies run for compliance.
TL;DR
CISA added seven vulnerabilities to its Known Exploited Vulnerabilities Catalog on May 20. Five are Windows, Internet Explorer, and Adobe Reader bugs from 2008, 2010. Two are 2026 Microsoft Defender elevation-of-privilege and denial-of-service flaws, endpoint protection tools FCEB agencies run for compliance. BOD 22-01 requires FCEB agencies to remediate KEV entries by the directive's deadline; contractors supporting federal systems should match their patch cycles. Patch availability for the two Defender CVEs is not stated in the alert.
The seven additions span two distinct eras. Five date to 2008, 2010: a Windows buffer overflow (CVE-2008-4250), a DirectX NULL byte overwrite (CVE-2009-1537), an Adobe Reader buffer overflow (CVE-2009-3459), and two Internet Explorer use-after-free vulnerabilities (CVE-2010-0249, CVE-2010-0806). All five predate BOD 22-01 by more than a decade. Their addition now indicates active exploitation observed in the wild (the sole criterion for KEV inclusion) but CISA's alert does not elaborate on the specific exploitation activity behind any of the seven entries. The two 2026 entries are CVE-2026-41091, a Microsoft Defender elevation-of-privilege vulnerability, and CVE-2026-45498, a Microsoft Defender denial-of-service vulnerability. Both carry current-year identifiers, indicating recent disclosure. For FCEB agencies, BOD 22-01 starts a remediation clock when a vulnerability hits the KEV catalog. The alert does not state the specific due date for these seven entries and does not confirm whether patches are available for the two Defender CVEs. Agencies and contractors should treat the clock as running and check Microsoft's security update guidance directly.
Published ·Updated ·Deep Fathom