CISA has added seven vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog based on confirmed evidence of active exploitation. The batch spans Microsoft Windows, Microsoft Internet Explorer, Adobe Acrobat/Reader, and Microsoft Defender — five legacy CVEs and two current-year Defender flaws.
The Seven CVEs
CVE-2008-4250 — Microsoft Windows Buffer Overflow Vulnerability
Legacy Windows flaw enabling remote code execution via crafted SMB requests. Despite its age, still being leveraged in opportunistic campaigns targeting unpatched legacy systems.
CVE-2009-1537 — Microsoft DirectX NULL Byte Overwrite Vulnerability
DirectX media parsing flaw. Exploitable through malicious media files, historically used in drive-by download and spear-phishing chains.
CVE-2009-3459 — Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
Critical Adobe heap overflow enabling arbitrary code execution via malformed PDF documents. A perennial favorite for threat actors targeting end-user workstations.
CVE-2010-0249 — Microsoft Internet Explorer Use-After-Free Vulnerability
IE memory corruption flaw tied to historical Aurora campaign-era exploitation. Remote code execution via malicious web pages.
CVE-2010-0806 — Microsoft Internet Explorer Use-After-Free Vulnerability
Second IE use-after-free in this batch. Also enables RCE, exploitable through crafted HTML content.
CVE-2026-41091 — Microsoft Defender Elevation of Privilege Vulnerability
Current-year Defender EoP flaw. Allows a locally authenticated attacker to escalate privileges — high risk in post-exploitation chains where initial access is already established.
CVE-2026-45498 — Microsoft Defender Denial of Service Vulnerability
Defender contains a link-following vulnerability that allows an authorized attacker to elevate privileges locally. The DoS aspect could be leveraged to disrupt endpoint protection ahead of further malicious activity.
Analyst Note
The inclusion of five CVEs from 2008–2010 is a clear signal — threat actors are still successfully weaponizing decade-old vulnerabilities against organizations running legacy or unpatched systems. Ransomware operators and threat actors in 2026 continue to target VPN appliances, edge devices, remote management tools, and internet-facing applications, with vulnerabilities enabling RCE, authentication bypass, and privilege escalation remaining high-priority targets.
The two Defender CVEs (CVE-2026-41091 and CVE-2026-45498) are particularly notable — defenders must patch the very tool they rely on for protection.
Remediation Guidance
Under BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate these vulnerabilities within the stipulated due dates. Non-federal organizations should treat this batch as a priority patching signal.
- Patch Microsoft Defender immediately via Windows Update / Microsoft Update Catalog
- For legacy IE/Windows/DirectX/Adobe flaws — verify EOL product exposure; discontinue use if no patch path exists
- Audit your environment for any systems still running pre-2015 software stacks — their presence on your network is a risk multiplier
