The **CISA** has issued a critical update to its **Known Exploited Vulnerabilities (KEV) Catalog**, adding four new vulnerabilities that are currently under active exploitation by malicious actors. This move underscores the persistent threat landscape and the importance of proactive vulnerability management. ### Newly Added Vulnerabilities The four vulnerabilities added to the **KEV Catalog** include: * **CVE-2025-67038**: **Lantronix EDS5000** Code Injection Vulnerability * **CVE-2026-34908**: **Ubiquiti UniFi OS** Improper Access Control Vulnerability * **CVE-2026-34909**: **Ubiquiti UniFi OS** Path Traversal Vulnerability * **CVE-2026-34910**: **Ubiquiti UniFi OS** Improper Input Validation Vulnerability These types of vulnerabilities are frequently leveraged by cybercriminals and nation-state actors, presenting substantial risks to both governmental and private sector enterprises. ### The Mandate for Federal Agencies **Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk** outlines stringent vulnerability management requirements for Federal Civilian Executive Branch (**FCEB**) agencies. This directive emphasizes the critical role of the **KEV Catalog**, mandating that federal agencies prioritize the rapid remediation of high-risk vulnerabilities, particularly those listed in the catalog that affect publicly exposed assets and could lead to total system compromise post-exploitation. Lower-risk vulnerabilities, conversely, can be addressed with a deferred timeline. Furthermore, **BOD 26-04** establishes clear expectations for agencies to verify whether a system was compromised by threat actors *before* a patch was applied, reinforcing a more comprehensive approach to incident response and post-patch analysis. ### Broader Implications for All Organizations While **BOD 26-04** is specifically tailored for **FCEB** agencies, **CISA** strongly recommends that all organizations, regardless of their sector, adopt a similar risk-based vulnerability management strategy. Prioritizing the remediation of vulnerabilities listed in the **KEV Catalog** is a crucial step in bolstering cybersecurity defenses against known and actively exploited threats. **CISA** remains committed to expanding the **KEV Catalog**, continuously adding vulnerabilities that meet its stringent criteria, which include a **CVE** ID, verifiable evidence of exploitation, and clear mitigation guidance. Organizations aware of an exploited vulnerability not yet listed in the **KEV Catalog** are encouraged to submit it through **CISA**'s KEV Nomination Form for potential inclusion.