U.S. CISA Adds Microsoft and Adobe Flaws to Its Known Exploited Vulnerabilities Catalog

The Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog serves as a centralized list of flaws that have been observed in the wild and demand immediate attention. By expanding the catalog with seven additional entries—spanning from the 2008 Windows Server buffer overflow to 2026 Defender issues—CISA underscores the persistent threat posed by both legacy and newer software. The agency’s move signals heightened vigilance, reminding stakeholders that even decades‑old bugs can resurface in active campaigns, especially when they retain high CVSS scores and proven exploitability.

Among the newly listed flaws, CVE‑2008‑4250 (MS08‑067) remains a classic remote code execution vector for Windows Server, while CVE‑2009‑1537 in DirectX and CVE‑2009‑3459 in Adobe Acrobat both score 9.3, enabling attackers to run arbitrary code via crafted media files. Two Internet Explorer use‑after‑free vulnerabilities (CVE‑2010‑0249 and CVE‑2010‑0806) were previously leveraged by the GREF APT group, illustrating how old browser bugs continue to be weaponized. The recent Defender entries—an elevation‑of‑privilege issue (CVE‑2026‑41091) and a denial‑of‑service flaw (CVE‑2026‑45498)—highlight that even security‑focused components can harbor exploitable weaknesses.

The operational impact is clear: federal entities must patch or mitigate these vulnerabilities by June 3, 2026, as mandated by Binding Operational Directive 22‑01. Private organizations are advised to audit their asset inventories, prioritize updates for legacy Windows and Internet Explorer installations, and ensure Defender is running the latest definitions. Proactive remediation not only satisfies compliance but also curtails the attack surface that threat actors exploit, reinforcing overall cyber‑resilience across both public and private sectors.