Kev

CISA adds CVE-2025-49113 (CVSS 9.9) and CVE-2025-68461 to KEV catalog after attackers weaponized the deserialization flaw within 48 hours. Federal agencies must patch by March 13.

Federal agencies must patch CVE-2026-22769 by Saturday after CISA confirms Chinese hackers exploited the Dell RecoverPoint vulnerability since 2024.

CISA confirms active exploitation of Chrome CVE-2026-2441, Zimbra SSRF, Windows ActiveX CVE-2008-0015, and ThreatSonar flaws. Federal agencies face March 10 deadline.

GreyNoise reveals CISA silently updated ransomware indicators on 59 vulnerabilities without alerts. New RSS feed tool catches changes within an hour.

Four actively exploited vulnerabilities added to CISA's catalog including SolarWinds Web Help Desk deserialization flaw with CVSS 9.8. Federal agencies have until February 6 to patch.

Two critical code injection flaws in Ivanti Endpoint Manager Mobile enable unauthenticated RCE. Federal agencies must remediate by February 1.

CVE-2026-21509 bypasses OLE security protections across Office 2016-2024. CISA adds it to KEV catalog with February 16 deadline.

Five vulnerabilities added to CISA's KEV catalog this week. VMware vCenter RCE bug patched 18 months ago now seeing active exploitation.

January 2026 Patch Tuesday addresses CVE-2026-20805, an info disclosure bug already under attack. CISA gives feds until February 3 to patch.

January 7 KEV update includes CVE-2009-0556 from 2009 alongside recently patched HPE OneView vulnerability. Both are seeing active exploitation.

CVE-2025-59374 exploits compromised ASUS software distribution to deploy backdoors on consumer and enterprise systems worldwide.