CISA adds four vulnerabilities to KEV Catalog- Feb 17, 2026

CISA adds four vulnerabilities to KEV Catalog- Feb 17, 2026

No Comments

CVSS Deep Dive, Exploit Chains, and Enterprise Risk Analysis

Deadline for Remediation: 10 March 2026
KEV Status: Newly added to CISA Known Exploited Vulnerabilities Catalog
Ransomware Use: Not yet confirmed (all entries)

Why This KEV Update Matters

The Feb 17, 2026 KEV additions highlight a recurring and dangerous reality:

Exploitation does not favor “new” vulnerabilities — it favors “reachable” ones.

This KEV set spans:

  • Modern browser memory corruption
  • A 2008-era Windows ActiveX RCE
  • A flaw in a security product
  • A long-standing SSRF in enterprise email infrastructure

Each vulnerability plays a specific role in real-world attack chains, from initial access to post-compromise acceleration.

Google Chromium

CVE-2026-2441 — CSS Use-After-Free (CWE-416)

Technical Summary

A use-after-free vulnerability in Chromium’s CSS engine allows attackers to trigger heap corruption using a crafted HTML/CSS payload. This impacts all Chromium-based browsers, including:

  • Google Chrome
  • Microsoft Edge
  • Opera

CVSS Analysis

Estimated CVSS v3.x: 8.8  (High)

Likely Vector:AV:N / AC:L / PR:N / UI:R / S:U / C:H / I:H / A:H

Why the score is high

  • Network exploitable
  • No privileges required
  • Reliable memory corruption primitive
  • Frequently chained with sandbox escapes

Real-World Attack Chain

  1. Initial Access
    • Phishing, malvertising, SEO-poisoned pages
    • Victim loads malicious HTML/CSS
  2. Exploitation
    • CSS UAF triggers controlled heap corruption
    • Arbitrary read/write in renderer process
  3. Exploit Chaining
    • Combined with:
      • V8 type confusion
      • GPU process escape
      • OS kernel LPE
  4. Post-Exploitation
    • Credential theft
    • Malware dropper
    • Ransomware staging

Key Insight:
This vulnerability is rarely standalone—it is a first-stage exploit primitive in advanced browser attack chains.

Microsoft Windows

CVE-2008-0015 — Video ActiveX Control Remote Code Execution

Technical Summary

A legacy ActiveX control vulnerability enabling remote code execution when a user visits a malicious web page. Despite its age, it persists in:

  • Legacy enterprise images
  • Embedded Windows systems
  • IE compatibility / legacy modes

CVSS Analysis

  • CVSS v2: ~9.3 (Critical)
  • CVSS v3 equivalent: ~8.8

Likely Vector:AV:N / AC:L / PR:N / UI:R / S:U / C:H / I:H / A:H

Real-World Attack Chain

  1. Initial Access
    • User opens crafted webpage
    • ActiveX control executes attacker code
  2. Execution Context
    • Runs with logged-in user privileges
  3. Privilege Escalation
    • Chained with modern kernel exploits
    • SYSTEM-level compromise
  4. Enterprise Impact
    • Credential dumping
    • Lateral movement
    • Ransomware deployment

Key Insight:
A 2008 CVE in KEV is not a mistake—it signals organizational failure to eliminate legacy attack surfaces.

TeamT5 ThreatSonar Anti-Ransomware

CVE-2024-7694 — Unrestricted File Upload (CWE-434)

Technical Summary

ThreatSonar fails to properly validate uploaded files, allowing administrators to upload dangerous file types that can be executed on the server.

CVSS Analysis

Estimated CVSS: 7.2 (High)

Likely Vector:AV:N / AC:L / PR:H / UI:N / S:C / C:H / I:H / A:H

Scoring nuance

  • Admin access lowers base score
  • Scope change (S:C) significantly raises impact

Real-World Attack Chain

  1. Precondition
    • Attacker already has admin access
    • Via phishing, credential reuse, AD compromise
  2. Weaponization
    • Upload web shell or malicious binary
  3. Execution
    • Arbitrary OS command execution
    • Persistence via services or scheduled tasks
  4. Operational Impact
    • Security tool abused as trusted foothold
    • Monitoring bypassed due to implicit trust

Key Insight:
This is a post-compromise force multiplier, turning defensive infrastructure into offensive infrastructure.

Synacor Zimbra Collaboration Suite

CVE-2020-7796 — Server-Side Request Forgery (CWE-918)

Technical Summary

An SSRF vulnerability present when:

  • WebEx Zimlet is installed
  • Zimlet JSP is enabled

Allows attackers to coerce the Zimbra server into making unauthorized internal requests.

CVSS Analysis

Estimated CVSS: 9.8  (Critical)

Likely Vector:AV:N / AC:L / PR:N / UI:N / S:U / C:H / I:L / A:L

Real-World Attack Chain

  1. Trigger Condition
    • Vulnerable Zimlet configuration
  2. SSRF Abuse
    • Access internal services
    • Query metadata endpoints
    • Reach admin-only APIs
  3. Chaining Opportunities
    • Credential harvesting
    • Internal recon
    • Secondary RCE
  4. Enterprise Impact
    • Mailbox compromise
    • Internal pivot
    • Data exfiltration

Key Insight:
SSRF is rarely the end—it is a gateway vulnerability into internal trust zones.

Cross-CVE Strategic Observations

Theme Observation Initial Access Browsers and web content dominate Exploit Chaining Required in most high-impact cases Legacy Risk Old vulnerabilities remain exploitable Tooling Risk Security products expand attack surface Ransomware Potential High, despite “unknown” status

What KEV Inclusion Really Means

When a CVE enters the CISA KEV Catalog:

  • Risk acceptance is no longer valid
  • Compensating controls are rarely sufficient
  • Remediation becomes operationally mandatory

Failure to act is no longer a technical gap, but a governance failure.

Tags:

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.