CISA Adds Seven Known Exploited Vulnerabilities to KEV Catalog, Including Legacy Windows and Current Defender Flaws

CISA added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on May 20, 2026, based on evidence of active exploitation. Five are legacy flaws from 2008-2010: CVE-2008-4250 (Microsoft Windows buffer overflow, MS08-067 associated with Conficker worm), CVE-2009-1537 (Microsoft DirectX NULL byte overwrite in QuickTime parser), CVE-2009-3459 (Adobe Acrobat/Reader heap-based buffer overflow), CVE-2010-0249 and CVE-2010-0806 (both Internet Explorer use-after-free vulnerabilities). Two are current Microsoft Defender flaws: CVE-2026-41091 (elevation of privilege) and CVE-2026-45498 (denial of service). Per CISA, these vulnerabilities carry significant risk and are being actively exploited. Federal agencies have a June 3, 2026 remediation deadline.

Legacy vulnerabilities: remote code execution via crafted RPC (CVE-2008-4250), malicious QuickTime media files (CVE-2009-1537), PDF exploits (CVE-2009-3459), and drive-by browser attacks (CVE-2010-0249, CVE-2010-0806). Current Defender flaws: local privilege escalation (CVE-2026-41091) and denial of service (CVE-2026-45498). The inclusion of 2008-2010 bugs signals attackers are finding reachable systems running unsupported Windows (2000, XP, Server 2003), embedded devices, stale virtual machines, industrial equipment, badge systems, lab instruments, kiosk images, or forgotten departmental servers. The Defender flaws indicate the security tooling itself has become part of the blast radius.

Windows 2000, Windows XP, Windows Server 2003 (legacy CVEs); Internet Explorer 6-8 (legacy); Adobe Reader/Acrobat versions from 2009; Microsoft Defender (current CVEs). Systems at risk include forgotten or unpatched Windows endpoints, operational technology (OT) environments, embedded systems, vendor-managed appliances, legacy kiosks, and any Windows-based security or monitoring tool relying on Defender. AI infrastructure teams should audit whether any ML pipeline components, container hosts, edge devices, or CI/CD runners are running affected Windows versions or Defender.

Apply vendor patches immediately: Microsoft security updates for legacy systems (if still supported under extended support contracts) and current Defender patches. For unsupported systems (Windows 2000/XP/Server 2003), isolate from production networks or replace. Audit all Windows endpoints, OT environments, embedded devices, and vendor-managed appliances for vulnerable versions. Federal agencies: remediate by June 3, 2026. Organizations should treat KEV additions as immediate operational signals, not backlog items—CISA's inclusion criteria require evidence of active exploitation.