Seven Actively Exploited Vulnerabilities Added to CISA KEV Catalog (CVE‑2008‑4250, CVE‑2009‑1537, CVE‑2009‑3459, CVE‑2010‑0249, CVE‑2010‑0806, CVE‑2026‑41091, CVE‑2026‑45498) Threaten Enterprise Systems
What It Is — CISA announced that seven CVEs, spanning Microsoft Windows, DirectX, Adobe Acrobat/Reader, Internet Explorer, and Microsoft Defender, have been confirmed as actively exploited and added to the Known Exploited Vulnerabilities (KEV) Catalog. The catalog directs federal agencies—and the broader enterprise community—to prioritize remediation of these high‑risk flaws.
Exploitability — All seven vulnerabilities have evidence of real‑world exploitation. The legacy bugs (2008‑4250, 2009‑1537, 2009‑3459, 2010‑0249, 2010‑0806) continue to be leveraged against unpatched systems; the two 2026 findings (41091, 45498) are newly disclosed with active exploit reports. CVSS scores range from 7.5 to 9.8, indicating high to critical severity.
Affected Products — Microsoft Windows (buffer overflow), Microsoft DirectX (NULL‑byte overwrite), Adobe Acrobat/Reader (heap‑based buffer overflow), Microsoft Internet Explorer (use‑after‑free), Microsoft Defender (elevation‑of‑privilege and denial‑of‑service).
TPRM Impact — Any third‑party that bundles or supports these components inherits the same exposure, creating supply‑chain risk, potential data loss, and service disruption for downstream customers. Legacy environments common in managed services, government contractors, and on‑prem SaaS offerings are especially vulnerable.
Recommended Actions —
- Conduct an immediate inventory of all assets running the listed products and versions.
- Deploy Microsoft and Adobe patches without delay; where patches are unavailable, apply compensating controls (network segmentation, application whitelisting, IDS signatures).
- Integrate the KEV list into your vulnerability‑scoring framework and meet BOD 22‑01 remediation deadlines.
- Notify affected customers, update third‑party risk registers, and document remediation status for audit purposes.
Source: CISA Advisory – May 20 2026