CISA adds Cisco, LiteSpeed CVEs to KEV catalog
For agencies and contractors, the practical job is patching exposed systems and checking whether attackers arrived first.
TL;DR
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-20262, a Cisco Catalyst SD-WAN Manager directory/path traversal flaw, and CVE-2026-54420, a LiteSpeed cPanel plugin UNIX symlink-following flaw, to the Known Exploited Vulnerabilities (KEV) catalog based on active exploitation. Binding Operational Directive (BOD) 26-04 requires Federal Civilian Executive Branch agencies to prioritize rapid remediation on qualifying publicly exposed assets and check for prior compromise. Contractors and managed service providers are not bound, but the de facto pressure follows the KEV list. CISA did not specify whether rapid remediation means emergency patching or accelerated standard cycles.
CISA added CVE-2026-20262 and CVE-2026-54420 to the Known Exploited Vulnerabilities (KEV) catalog, so the question is no longer whether the Cisco Catalyst SD-WAN Manager and LiteSpeed cPanel plugin flaws are being exploited. CISA says they are. The practical question is how fast the exposed-asset queue moves under Binding Operational Directive (BOD) 26-04. The directive updates BOD 22-01, keeps KEV central to federal vulnerability management, and requires Federal Civilian Executive Branch agencies to prioritize rapid remediation of high-risk KEV CVEs on publicly exposed assets while setting expectations for checking whether compromise occurred before patching. For contractors and managed service providers, the directive is not binding. It is still the list federal customers will ask about first. CISA left the timing question open: rapid remediation may mean an emergency window, or it may mean the fastest defensible standard cycle. Asset owners should answer that before the ticket hits change control.
Published ·Deep Fathom