← The Broadside
RSS →
vuln-advisoryregulatorNewsThe Broadside1 min read

CISA adds seven CVEs to KEV Catalog, two targeting Microsoft Defender

Most of the seven are legacy CVEs from 2008-2010, but the two 2026 Microsoft Defender entries are the unusual ones: exploited vulnerabilities in a defensive tool, not the OS.

TL;DR

CISA added seven CVEs to its Known Exploited Vulnerabilities Catalog on May 20, 2026, triggering mandatory remediation deadlines for Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01. Five entries are legacy Microsoft and Adobe vulnerabilities (2008-2010); two are 2026 Microsoft Defender flaws, CVE-2026-41091, an elevation of privilege, and CVE-2026-45498, a denial of service. The Defender inclusions are notable: KEV additions typically target OS or browser attack surface, not defensive tooling itself. CISA urges all organizations to prioritize remediation regardless of BOD 22-01 applicability.

Five of the seven CVEs are aged entries (Microsoft Windows, DirectX, Internet Explorer, and Adobe Acrobat vulnerabilities dating to 2008-2010) and their addition likely reflects evidence of renewed active exploitation against unpatched systems rather than new discoveries. FCEB agencies should check BOD 22-01 remediation due dates for each CVE individually, as deadlines are assigned per entry and are not uniform across a catalog update.

The two 2026 Defender CVEs are the operationally relevant items. CVE-2026-41091 is an elevation of privilege in Microsoft Defender; CVE-2026-45498 is a denial-of-service. Both carry active exploitation evidence per CISA's standard KEV inclusion criteria. For contractors and agencies running Defender as a primary endpoint protection layer, a privilege escalation vulnerability in the security tool itself warrants immediate patch verification, the remediation is not academic. BOD 22-01 applies to FCEB agencies; defense contractors and subs are not formally bound but face contractual and CMMC-adjacent risk if they operate unpatched systems with confirmed active exploitation documented in the federal catalog.

Published ·Updated ·Deep Fathom