HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Advisory

Seven Actively Exploited Vulnerabilities Added to CISA KEV Catalog (CVE‑2008‑4250, CVE‑2009‑1537, CVE‑2009‑3459, CVE‑2010‑0249, CVE‑2010‑0806, CVE‑2026‑41091, CVE‑2026‑45498) Threaten Enterprise Systems

CISA has placed seven known‑exploited CVEs—including legacy Windows and Internet Explorer bugs and two new Microsoft Defender flaws—into its KEV catalog. The advisory urges all organizations to prioritize patching to mitigate supply‑chain and service‑disruption risk.

LiveThreat™ Intelligence · 📅 May 21, 2026· 📰 cisa.gov
🟠
Severity
High
AD
Type
Advisory
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
4 recommended
📰
Source
cisa.gov

Seven Actively Exploited Vulnerabilities Added to CISA KEV Catalog (CVE‑2008‑4250, CVE‑2009‑1537, CVE‑2009‑3459, CVE‑2010‑0249, CVE‑2010‑0806, CVE‑2026‑41091, CVE‑2026‑45498) Threaten Enterprise Systems

What It Is — CISA announced that seven CVEs, spanning Microsoft Windows, DirectX, Adobe Acrobat/Reader, Internet Explorer, and Microsoft Defender, have been confirmed as actively exploited and added to the Known Exploited Vulnerabilities (KEV) Catalog. The catalog directs federal agencies—and the broader enterprise community—to prioritize remediation of these high‑risk flaws.

Exploitability — All seven vulnerabilities have evidence of real‑world exploitation. The legacy bugs (2008‑4250, 2009‑1537, 2009‑3459, 2010‑0249, 2010‑0806) continue to be leveraged against unpatched systems; the two 2026 findings (41091, 45498) are newly disclosed with active exploit reports. CVSS scores range from 7.5 to 9.8, indicating high to critical severity.

Affected Products — Microsoft Windows (buffer overflow), Microsoft DirectX (NULL‑byte overwrite), Adobe Acrobat/Reader (heap‑based buffer overflow), Microsoft Internet Explorer (use‑after‑free), Microsoft Defender (elevation‑of‑privilege and denial‑of‑service).

TPRM Impact — Any third‑party that bundles or supports these components inherits the same exposure, creating supply‑chain risk, potential data loss, and service disruption for downstream customers. Legacy environments common in managed services, government contractors, and on‑prem SaaS offerings are especially vulnerable.

Recommended Actions

  • Conduct an immediate inventory of all assets running the listed products and versions.
  • Deploy Microsoft and Adobe patches without delay; where patches are unavailable, apply compensating controls (network segmentation, application whitelisting, IDS signatures).
  • Integrate the KEV list into your vulnerability‑scoring framework and meet BOD 22‑01 remediation deadlines.
  • Notify affected customers, update third‑party risk registers, and document remediation status for audit purposes.

Source: CISA Advisory – May 20 2026

📰 Original Source
https://www.cisa.gov/news-events/alerts/2026/05/20/cisa-adds-seven-known-exploited-vulnerabilities-catalog

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →