CISA Adds Four Flaws to KEV, Including 17-Year-Old ActiveX Bug

CISA added four vulnerabilities to its Known Exploited Vulnerabilities catalog on February 17, including a 17-year-old Windows ActiveX flaw that attackers are weaponizing to distribute the Dogkild worm. The additions underscore a persistent reality: old vulnerabilities never die when legacy systems remain in production.

The four CVEs span nearly two decades of software, from a 2008 Windows component to last week's Chrome zero-day. Federal agencies must remediate all four by March 10, 2026.

The Vulnerabilities

CVE-2026-2441 (CVSS 8.8) affects Google Chrome's CSS rendering engine. This use-after-free vulnerability enables remote code execution through crafted HTML pages. Google patched it last week after confirming wild exploitation, and we covered the details in our initial Chrome zero-day coverage.

CVE-2008-0015 (CVSS 8.8) is a stack-based buffer overflow in Microsoft Windows Video ActiveX Control. Yes, 2008. Attackers are using it to distribute Dogkild, a worm that has plagued Windows environments for over a decade. The vulnerability allows remote code execution when victims visit specially crafted web pages—a reminder that ActiveX remains a threat vector for organizations running legacy configurations.

CVE-2020-7796 (CVSS 9.8) is a server-side request forgery flaw in Synacor Zimbra Collaboration Suite. Attackers can force the mail server to make requests to internal systems, potentially accessing cloud metadata services or internal APIs. CISA's previous KEV updates in January included other Zimbra flaws, indicating sustained attacker interest in the platform.

CVE-2024-7694 (CVSS 7.2) affects TeamT5 ThreatSonar Anti-Ransomware versions 3.4.5 and earlier. The arbitrary file upload vulnerability lets attackers achieve remote command execution on the server—ironic given the product's purpose is preventing ransomware.

Why Old CVEs Keep Appearing

The ActiveX vulnerability highlights a frustrating pattern. CVE-2008-0015 was patched when the iPhone 3G was new. Yet nearly 400 IP addresses are actively exploiting the Zimbra SSRF flaw, and Dogkild continues spreading through the ancient ActiveX bug.

Three factors keep old vulnerabilities alive:

1. Legacy systems run forever - Industrial control systems, healthcare equipment, and internal tools often can't be updated without breaking dependencies
2. Attackers scan for everything - Automated exploitation means every unpatched system eventually gets found
3. Patch verification fails - Organizations assume they're patched but miss edge cases or reimaged systems

The ThreatSonar vulnerability adds another dimension. Security tools themselves become targets. An anti-ransomware product with an RCE bug is a perfect foothold for ransomware operators.

Required Actions

BOD 22-01 requires Federal Civilian Executive Branch agencies to patch these vulnerabilities by March 10, 2026. While the directive only applies to federal systems, CISA urges all organizations to prioritize KEV catalog entries.

For organizations that haven't touched ActiveX in years, now is the time to audit. The control may be disabled globally but re-enabled through Group Policy overrides, application compatibility shims, or legacy software requirements. If you're running Zimbra on-premises, assume you're being scanned.

The Bigger Picture

CISA's February KEV additions paint a picture of an attack landscape where age doesn't matter. Attackers use whatever works. A 17-year-old ActiveX bug distributing worm malware sits alongside a week-old Chrome zero-day on the same priority list.

For defenders, this means vulnerability management can't just track recent CVEs. Legacy systems need the same scrutiny as current deployments—or better, they need decommissioning. The Chrome flaw will get patched automatically for most users. The ActiveX bug affects systems that probably haven't seen a browser update since Obama's first term.

Organizations still running vulnerable configurations should consult our guides on vulnerability management for foundational practices and consider whether legacy systems truly need internet access.