CISA has added seven new vulnerabilities to its **Known Exploited Vulnerabilities (KEV) Catalog**, based on evidence of active exploitation. This update underscores the importance of proactive vulnerability management for all organizations. Here's a breakdown of the newly added vulnerabilities: * **CVE-2012-1854**: **Microsoft** Visual Basic for Applications Insecure Library Loading Vulnerability * **CVE-2020-9715**: **Adobe** Acrobat Use-After-Free Vulnerability * **CVE-2023-21529**: **Microsoft** Exchange Server Deserialization of Untrusted Data Vulnerability * **CVE-2023-36424**: **Microsoft** Windows Out-of-Bounds Read Vulnerability * **CVE-2025-60710**: **Microsoft** Windows Link Following Vulnerability * **CVE-2026-21643**: **Fortinet** SQL Injection Vulnerability * **CVE-2026-34621**: **Adobe** Acrobat and Reader Prototype Pollution Vulnerability ### The KEV Catalog and BOD 22-01 The KEV Catalog is maintained under **Binding Operational Directive (BOD) 22-01**, which mandates Federal Civilian Executive Branch (FCEB) agencies to remediate listed vulnerabilities by specific due dates. This directive aims to protect FCEB networks from active threats by addressing Common Vulnerabilities and Exposures (CVEs) known to be exploited in the wild. While BOD 22-01 is specifically applicable to FCEB agencies, CISA strongly advises *all* organizations to prioritize the remediation of KEV Catalog vulnerabilities. This proactive approach is crucial for reducing exposure to cyberattacks and maintaining a robust security posture. CISA will continue to update the KEV Catalog with vulnerabilities that meet its specified criteria, ensuring that organizations have access to timely and actionable threat intelligence.