CISA has added a new vulnerability to its Catalog of Known Exploited Vulnerabilities (KEV), based on evidence of active exploitation.
This type of vulnerability is a common attack vector for malicious cyber actors and presents significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritize Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies, updating BOD 22-01. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize the rapid remediation of high-risk vulnerabilities, particularly those identified by the Common Vulnerabilities and Exposures (CVEs) listed in CISA’s Catalog of Known Exploited Vulnerabilities (KEVs) on publicly exposed assets that grant full control of the asset after exploitation, while deferring action for low-risk vulnerabilities. BOD 26-04 further establishes baseline expectations for when agencies should verify whether malicious actors have compromised the system before patching.
Although BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of KEV catalog vulnerabilities. CISA will continue to add vulnerabilities to the catalog that meet the specified criteria.
Are you aware of an exploited vulnerability that is not currently listed in the KEV catalog? Submit for potential addition: KEV nomination form. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance.
