The cybersecurity landscape is constantly evolving, but one truth remains: the most immediate threats come from vulnerabilities that are already being actively exploited in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) recently underscored this reality by adding seven new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog.
This addition serves as a critical, non-negotiable directive for federal agencies and a severe warning for all organizations, public or private. If any of these flaws exist in your network, they are not theoretical risks—they are active attack vectors being used by malicious actors right now.
Why the KEV Catalog Matters
CISA’s KEV Catalog is far more than just a list of security bugs. It is a live, authoritative resource of Common Vulnerabilities and Exposures (CVEs) that meet a simple but terrifying criterion: they have been observed in active exploitation.
This catalog powers Binding Operational Directive (BOD) 22-01, which mandates that all Federal Civilian Executive Branch (FCEB) agencies must remediate these specific vulnerabilities by a CISA-prescribed due date. For FCEB entities, this is a matter of compliance and immediate operational security.
However, CISA’s message is clear to all organizations—State, Local, Tribal, Territorial (SLTT) governments, and private industry: treating the KEV Catalog as your absolute top priority for patching is the single best way to reduce your exposure to significant cyberattacks. These vulnerabilities represent the most frequent and dangerous entry points for threat actors.
The Seven New Exploited Vulnerabilities You Must Patch
The latest batch of additions includes a mix of critical flaws, some dating back over a decade, proving that old vulnerabilities never truly die if they remain unpatched. The diversity of the list—spanning operating systems, browsers, and enterprise software—underscores the broad attack surface currently being targeted.
| CVE ID | Product & Vulnerability Type | Key Takeaway |
| CVE-2010-3765 | Mozilla Multiple Products Remote Code Execution (RCE) | A very old RCE flaw affecting Firefox and Thunderbird components, allowing attackers to execute arbitrary code via specially crafted content. Its continued exploitation shows the danger of legacy components. |
| CVE-2010-3962 | Microsoft Internet Explorer Uninitialized Memory Corruption | Affecting older versions of IE, this RCE is related to use-after-free and memory corruption, which is a classic pathway for remote attackers to gain control. |
| CVE-2011-3402 | Microsoft Windows Remote Code Execution (RCE) | An RCE vulnerability in the Windows TrueType font parsing engine (win32k.sys), which could allow an attacker to run arbitrary code in kernel mode—the highest system privilege. |
| CVE-2013-3918 | Microsoft Windows Out-of-Bounds Write | This flaw resides in an ActiveX control (icardie.dll), enabling remote attackers to execute arbitrary code or cause a Denial of Service (DoS) via an out-of-bounds write. |
| CVE-2021-22555 | Linux Kernel Heap Out-of-Bounds Write | A highly severe flaw in the Linux kernel’s netfilter subsystem, allowing a local attacker to potentially gain elevated privileges or cause a Denial of Service. Local Privilege Escalation (LPE) is a critical step in a multi-stage attack. |
| CVE-2021-43226 | Microsoft Windows Privilege Escalation | A vulnerability in the Windows Common Log File System (CLFS) Driver that allows a local, low-privilege attacker to escalate their access to SYSTEM-level privileges, effectively handing the machine over to the adversary. |
| CVE-2025-61882 | Oracle E-Business Suite Unspecified Vulnerability | This critical flaw in a major enterprise software suite is remotely exploitable without authentication, meaning an attacker can compromise a system over the network without a username or password. |
Call to Action: Prioritize Immediate Remediation
The inclusion of a vulnerability in the KEV Catalog removes all doubt about its exploitability. The time for deliberation is over; the time for action is now.
- Immediate Scanning: Dedicate resources to immediately scan all enterprise and end-user assets for the presence of these seven CVEs.
- Verify Patch Status: For older, potentially retired systems or end-of-life software (like some of the decade-old Microsoft and Mozilla flaws), verify that patches or vendor-recommended mitigations are in place. If not, discontinuing the use of the product is the most effective mitigation.
- Patch Critical Systems: Prioritize patching for the most severe vulnerabilities, particularly the Remote Code Execution (RCE) flaws and the Privilege Escalation (PE) flaw, as these lead to complete system compromise. The Oracle E-Business Suite vulnerability is particularly critical due to its unauthenticated remote exploitability.
- Adopt a KEV-First Policy: Integrate the CISA KEV Catalog directly into your vulnerability management program. Any vulnerability added to this list should automatically jump to the head of the remediation queue, superseding CVSS scores or other internal priorities.
Cyber adversaries rely on slow patching cycles. By taking swift, decisive action on the KEV Catalog, organizations can slam the door shut on the attack vectors that are proven to be the most active and successful threats today. Don’t wait until one of these known, exploited vulnerabilities is used against you.