Federal agencies face a three-week deadline to remediate a set of vulnerabilities spanning consumer devices, industrial controllers, and surveillance cameras — all confirmed to be actively exploited in the wild.
Federal Remediation Deadline (BOD 22-01): March 26, 2026
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog on March 5, 2026, adding five security flaws that span three major vendors: Apple, Rockwell Automation, and Hikvision. The move signals that adversaries are actively leveraging these weaknesses — and that organizations of all kinds need to act fast.
While the Binding Operational Directive 22-01 mandates remediation only for Federal Civilian Executive Branch (FCEB) agencies, CISA strongly urges every organization to treat KEV entries as high-priority items in their vulnerability management programs.
Apple — 3 CVEs
Three vulnerabilities affecting Apple products were added, with Google’s Threat Intelligence Group credited for their discovery. Two involve use-after-free memory bugs — a class of flaw that can be weaponized for arbitrary code execution.
CVE-2021-30952 · CVSS 8.8 (High) · Integer Overflow / Wraparound
Affects multiple Apple products. Integer overflows can corrupt memory in ways that allow attackers to execute arbitrary code or escalate privileges — often exploited via maliciously crafted web content or files.
CVE-2023-41974 · CVSS 7.8 (High) · Use-After-Free — iOS & iPadOS
This use-after-free vulnerability in iOS and iPadOS allows an attacker to corrupt freed memory, enabling code execution within the context of a privileged process.
CVE-2023-43000 · Use-After-Free — Multiple Apple Products
A second use-after-free vulnerability affecting a broader range of Apple software. Reported alongside CVE-2023-41974, suggesting they may have been discovered as part of a coordinated research effort.
Hikvision — 1 CVE
A nearly decade-old flaw in Hikvision IP cameras finally makes its official KEV appearance — months after the SANS Internet Storm Center detected active exploitation attempts in the wild.
CVE-2017-7921 · CVSS 9.8 (Critical) · Improper Authentication — IP Camera Firmware
This critical authentication bypass affects multiple Hikvision IP camera series running outdated firmware. When exploited, attackers can completely circumvent credential verification, gain elevated privileges, and access sensitive camera data or device controls — without ever supplying a valid password. The flaw was first disclosed in 2017, making its continued exploitation a stark reminder that legacy devices remain a persistent risk on enterprise and consumer networks alike.
“A 2017 flaw still being exploited in 2026 is not a technology problem — it’s an asset management problem.”
Rockwell Automation — 1 CVE
The most operationally complex addition of this batch affects industrial control systems — where the consequences of a breach extend well beyond data loss into physical process disruption.
CVE-2021-22681 · CVSS 9.8 (Critical) · Authentication Bypass — Studio 5000 Logix Designer, RSLogix 5000
This critical flaw allows an unauthenticated attacker to bypass the cryptographic key verification used to authenticate communication with Rockwell’s Logix industrial controllers. An attacker capable of intercepting or injecting network traffic could impersonate a trusted engineering workstation and interact directly with programmable logic controllers (PLCs) — potentially altering industrial processes in dangerous ways. Critically, Rockwell has confirmed this issue cannot be resolved with a patch alone, meaning organizations must rely on compensating controls such as deploying CIP Security and restricting network access to affected controllers.
What To Do Now
- Update Apple Devices — Apply the latest iOS, iPadOS, and macOS updates. All three Apple CVEs are addressed in current software versions.
- Patch or Replace Hikvision Cameras — Upgrade firmware to a supported version immediately. If devices are end-of-life, prioritize replacement and isolate them from critical networks in the interim.
- Harden Rockwell ICS Environments — No patch is available. Deploy CIP Security, segment OT networks, restrict access to Logix controllers, and monitor for anomalous engineering traffic.
- Audit Your Asset Inventory — Cross-reference your asset inventory against all five CVEs. Unmanaged or shadow IT devices are frequently the most vulnerable.
