KEV alert four exploited vulnerabilities that require immediate parking

The United States Agency for Infrastructure and Cybersecurity (CISA) has just updated its catalogue of known and exploited vulnerabilities (Known Exploited Vulnerabilities, KEV) with four failures that, according to the agency, are already being exploited in real environments. This list of "active vulnerabilities" serves as a warning for managers and security officials: when CISA adds a failure to KEV, it does so because there are signs of exploitation, and organizations must act quickly. You can check the official CISA alert Here. and the full catalogue Here..

Among the four built-in errors there is a mix that covers browsers, anti-ransomware solutions, mail / collaboration servers and old ActiveX controls on Windows. The first, identified as CVE-2026-2441, is a use-after-free problem on Google Chrome with a high CVSS score (8.8) that could allow a malicious HTML page to cause memory corruption and remote execution. CISA notes that there is evidence of exploitation in nature and, in that context, it is critical to apply browser updates as soon as possible.

Another relevant case is CVE-2024-7694, an arbitrary file uploading failure in certain versions of the product TeamT5 ThreatSonar Anti- Ransomware (3.4.5 and above). This type of vulnerability allows an attacker to place malicious files on the server and, in extreme scenarios, to run commands on the affected machine. A Taiwanese incident coordination newsletter already described how failure mechanics works; you can read the technical note Here..

The catalogue also incorporated an older but extremely dangerous vulnerability: CVE-2020-7796, a SSRF (Server-Side Request Forgery) failure in the Zimbra Collaboration (ZCS) suite. Previous research has shown that automated operators have scanned and attacked vulnerable actors in different countries, which shows that SSRF is an effective way to pivote from a web application to internal systems.

Finally, a historical vulnerability with known exploitation appears: CVE-2008-0015, a buffer overflow in the ActiveX "Windows Video" control that can lead to remote execution if a user opens a manipulated website. Microsoft maintains entries in its threat encyclopedia that describe how associated exploits can download and run malware, including the worm known as Dogkild, with capacity to spread and sabotage security measures. Microsoft documentation on this explosion is available Here..

What does this KEV update tell us in practical terms? First, that the attack surface remains heterogeneous: from modern browsers to legacy components such as ActiveX or specific backup and security software. Second, the attackers combine old and new techniques: massive SSRF scans, directed exploitation of bugs in browsers and abuse of file uploading features. A previous public analysis of actors who scanned the global network to exploit SSRF includes an activity pattern with hundreds of IP addresses pointing to vulnerable instances, which illustrates the scale of the problem; for an overview of scanning and telemetry activities, the GreyNoise platform offers context on how these clusters behave. Here..

For technical and risk-responsible equipment, the priority is clear: to apply patches and mitigation as soon as possible. CISA is often accompanied by these KEV additions with time-limits for federal entities; in this case, the Federal Civil Government (FCEB) agencies have as their recommended date on 10 March 2026 to deploy the relevant corrections. But that date is not an excuse to wait - if your environment is public or critical, update immediately.

Beyond patching, it is necessary to take complementary measures: to reduce public exposure of services that should not be accessible from the Internet, to review records and telemetry in search of commitment indicators, to strengthen file-raising policies (validation, sandboxing, content analysis) and to deploy firewall or WAF rules that mitigate known vectors while applying the final correction. In the case of browsers, force automatic updates and raise users' awareness of the risk of opening links or suspicious files is basic.

An important aspect that analysts often highlight is the need to prioritize according to the context: a CVE with 9.x score (such as the Zimbra SSRF) deserves immediate attention, but the final decision must weigh exposed assets, operational compensation and mitigation available. Patch management tools and asset inventories help to identify which servers or stations are at risk and to accelerate response.

Finally, and perhaps most practical for managers: review the references published by the organizations concerned themselves and by trust agencies. The CISA chips and the KEV catalog provide threat summaries and patch links; the CVE pages contain technical details; and sources such as documentation from local response providers or equipment provide mitigation procedures and updates. Below are the main resources cited in this piece: the CISA alert https: / / www.cisa.gov / news-events / alerts / 2026 / 02 / 17 / cisa-adds-four-know-know-exploited-vulnerabilities -catalogs, the KEV catalogue https: / / www.cisa.gov / knowledge-exploited-vulnerabilities-catalog and the entries of each CVE in CVE(e.g., CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, CVE-2008-0015). For details on the TeamT5 vector see the Taiwanese newsletter https: / / www.twcert.org.tw / en / cp-139-8000-e5a5c-2.html, and for information about the historical explosion and related malware families, the Microsoft threat encyclopedia offers context https: / / www.microsoft.com / en-us / wdsi / threats / malware-encyclopedi-description? Name = Exploit: HTML / CVE-2008-0015 and https: / / www.microsoft.com / en-us / wdsi / threats / malware-encyclopedi-description? Name = Worm: Win32 / Dogkild.A.

The lesson left by this update is simple: threats do not respect software seniority or popularity. An old and widely installed component can be as dangerous as a bug of a modern browser if properly exploited. Effective cyberdefence combines fast parking, permanent visibility and coordinated responses, and when CISA places something in the KEV, it is appropriate to take it as a red alert and act accordingly.