The U.S. cybersecurity and Infrastructure Security Agency (CISA) updated its public catalog of security vulnerabilities on Monday, adding eight new entries that are confirmed to be under active exploitation by malicious actors. The agency also established binding deadlines for federal civilian agencies to address these and other listed flaws, with the latest patches required by May 2026.
Details of the New Vulnerabilities
The newly added vulnerabilities impact a range of software from multiple vendors. Among the most notable are three flaws affecting Cisco’s Catalyst SD-WAN Manager, a network management product. CISA’s action indicates that federal authorities have verified these specific weaknesses are being used in real-world attacks, elevating their urgency for remediation.
One of the listed vulnerabilities is tracked as CVE-2023-27351. It carries a CVSS severity score of 8.2, classifying it as high severity. This flaw is an improper authentication vulnerability found in PaperCut print management software, which could allow an attacker to bypass login controls.
The inclusion in the Known Exploited Vulnerabilities (KEV) catalog is a significant designation. It serves as an authoritative warning to all organizations, not just federal bodies, about which software bugs are currently being weaponized. CISA bases its additions on evidence collected from its own operations and trusted partners in the cybersecurity community.
Binding Deadlines for Federal Agencies
In accordance with a binding operational directive, all federal civilian executive branch agencies are now required to apply patches for these eight vulnerabilities. CISA has set a final remediation deadline of May 1, 2026, for the flaws added this week.
This directive provides a structured timeline for government entities to identify, test, and deploy necessary fixes. The deadlines are not suggestions but mandatory compliance dates. Failure to meet them requires agencies to formally document their reasons and submit a plan for achieving compliance to CISA.
The policy is designed to enforce a standardized and accelerated response to the most critical threats across the federal government‘s digital infrastructure. By setting clear dates, CISA aims to reduce the window of opportunity for attackers who target known, unpatched vulnerabilities.
Importance of the KEV Catalog
The KEV catalog functions as a prioritized to-do list for cybersecurity teams. While private sector companies are not legally bound by CISA’s directive, the catalog is widely used as a critical resource for prioritizing patch management efforts globally. Security professionals often treat its entries as requiring immediate action.
CISA regularly updates the catalog based on new intelligence. Each entry includes the Common Vulnerabilities and Exposures (CVE) identifier, a brief description, and the required action date for federal agencies. This transparency allows all organizations to benefit from the government’s threat intelligence.
The agency encourages all software users, including businesses and state or local governments, to review the catalog and align their security practices with its guidance. Proactively addressing vulnerabilities listed in the KEV is considered a fundamental step in defending against common cyber attacks.
Looking Ahead
CISA is expected to continue its routine updates to the KEV catalog as new exploitation evidence emerges. Organizations should monitor the catalog regularly and integrate it into their vulnerability management programs. The next set of mandated patches for federal agencies, stemming from future additions to the list, will follow a similar timeline, with deadlines typically set 6 to 12 months after a flaw’s publication in the catalog.
Source: Original agency announcement and CISA KEV catalog.
