CISA KEV Adds 7 Flaws Including Exploited Defender Bugs
CISA's May 20 KEV update includes two actively exploited Microsoft Defender vulnerabilities and five legacy flaws from 2008-2010. Federal agencies have until June 3 to patch.
CISA added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog on May 20, 2026, including two actively exploited Microsoft Defender flaws and five legacy vulnerabilities from 2008-2010 that attackers are apparently still using. Federal agencies must remediate by June 3, 2026.
The inclusion of nearly two-decade-old Adobe and Microsoft bugs alongside current Defender vulnerabilities underscores an uncomfortable reality: old vulnerabilities don't retire—they just become obscure enough for attackers to exploit unnoticed.
The Microsoft Defender Vulnerabilities
Two 2026 flaws affecting Microsoft's security products made the catalog:
CVE-2026-41091 is a local privilege escalation vulnerability in the Microsoft Malware Protection Engine (version 1.26030.3008 and earlier). The engine improperly resolves links before accessing files, allowing attackers to gain SYSTEM privileges. Microsoft credited researchers Zen Dodd and Yuanpei Xu with the discovery.
CVE-2026-45498 is a denial-of-service vulnerability in the Microsoft Defender Antimalware Platform. Exploitation prevents Defender from functioning properly—effectively blinding the endpoint's primary security tool.
Both vulnerabilities have been exploited in the wild. Microsoft addressed them in platform versions 1.1.26040.8 (for CVE-2026-41091) and 4.18.26040.7 (for CVE-2026-45498).
The irony isn't lost: vulnerabilities in security software are particularly valuable to attackers because exploitation both grants access and degrades defensive visibility. This mirrors the pattern we've seen in endpoint management tools like FortiClient EMS, where security infrastructure becomes the attack vector.
Legacy Flaws Still Under Active Exploitation
CISA also added five vulnerabilities from 2008-2010:
| CVE | Product | Type |
|---|---|---|
| CVE-2008-4250 | Microsoft Windows | Buffer Overflow |
| CVE-2009-1537 | Microsoft DirectX | NULL Byte Overwrite |
| CVE-2009-3459 | Adobe Acrobat/Reader | Heap-Based Buffer Overflow |
| CVE-2010-0249 | Microsoft Internet Explorer | Use-After-Free |
| CVE-2010-0806 | Microsoft Internet Explorer | Use-After-Free |
These aren't theoretical concerns. CISA only adds vulnerabilities to the KEV catalog when it has evidence of active exploitation. Someone, somewhere, is still successfully attacking systems with 15-year-old bugs.
Why Old Vulnerabilities Persist
The presence of 2008-era bugs in a 2026 advisory reflects several realities:
Legacy systems don't disappear. Industrial control systems, specialized equipment, and air-gapped networks often run software that hasn't been updated in years. These systems become invisible until they're compromised.
Patch deployment lags. Even when patches exist, deployment across large organizations takes time. Some systems get missed. Others run custom configurations that make patching risky.
Attackers optimize for reliability. Old, well-understood vulnerabilities have stable, tested exploits. They work consistently across targets, making them valuable for opportunistic attacks and automated campaigns.
The Verizon DBIR 2026 highlighted vulnerability exploitation as a primary breach vector—and old vulnerabilities with proven exploits fit that pattern perfectly.
Federal Remediation Requirements
Under Binding Operational Directive 22-01, Federal Civilian Executive Branch agencies must remediate KEV vulnerabilities within specified timeframes. For this batch, the deadline is June 3, 2026.
The directive applies only to federal agencies, but CISA recommends all organizations—public and private—treat KEV additions as high-priority patching targets. The logic is straightforward: if CISA has evidence of active exploitation, your organization could be a target.
What Organizations Should Do
For Microsoft Defender Flaws
- Verify platform versions — Ensure Microsoft Defender components are updated to patched versions
- Check update mechanisms — Defender should auto-update, but verify it's actually happening
- Monitor for tampering — Unusual Defender behavior or crashes could indicate exploitation attempts
For Legacy Vulnerabilities
- Asset inventory — Identify any systems running software old enough to be affected by 2008-2010 bugs
- Compensating controls — Network segmentation, strict access controls, and monitoring for systems that can't be patched
- Retirement planning — Legacy systems with known, exploited vulnerabilities represent ongoing risk
The full list of KEV additions is available at CISA's Known Exploited Vulnerabilities Catalog.
For organizations tracking broader vulnerability trends, our resources page includes tools and guides for prioritizing remediation efforts.
Related Articles
CISA Orders Feds to Patch FortiClient EMS Flaw by Thursday
CISA adds CVE-2026-35616 to KEV catalog with April 9 deadline for federal agencies. Nearly 2,000 FortiClient EMS instances remain exposed as exploitation continues.
Apr 6, 2026CISA Adds Samsung, SimpleHelp, D-Link Flaws to Must-Patch List
Four actively exploited vulnerabilities added to CISA's KEV catalog on April 24. Federal agencies face May 8 deadline—here's what's being targeted.
Apr 25, 2026CISA Adds Two Roundcube Flaws to KEV After Active Exploitation
CISA adds CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 to KEV catalog after attackers weaponized the deserialization flaw within 48 hours. Federal agencies must patch by March 13.
Feb 21, 2026CISA Orders Feds to Patch Dell Flaw Within 3 Days
Federal agencies must patch CVE-2026-22769 by Saturday after CISA confirms Chinese hackers exploited the Dell RecoverPoint vulnerability since 2024.
Feb 19, 2026