CISA Expands KEV Catalog Again adds Zeroday Vulnerabilities

CISA Expands KEV Catalog Again adds Zeroday Vulnerabilities


The pace of additions to the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog continues to accelerate. Between July 14 and July 15, 2026, CISA added eight new vulnerabilities, all confirmed to be under active exploitation in the wild.

While Microsoft SharePoint zero-days dominated headlines following July Patch Tuesday, the latest KEV additions demonstrate a much broader attack landscape. Threat actors are simultaneously targeting identity platforms, VPN appliances, enterprise resource planning (ERP) software, industrial automation protocols, and even legacy networking infrastructure.

For defenders, this serves as another reminder that vulnerability management must prioritize known exploitation over severity scores alone.

Newly Added KEV Vulnerabilities

1. Microsoft SharePoint Server

Microsoft SharePoint remains one of the highest-priority risks following July Patch Tuesday. The newly cataloged vulnerability allows attackers to compromise internet-facing SharePoint servers without requiring valid credentials.

Because SharePoint frequently stores sensitive organizational documents and integrates with Active Directory, successful exploitation can quickly evolve into domain-wide compromise.

Security Impact

  • Remote server compromise
  • Data theft
  • Credential harvesting
  • Potential ransomware deployment
  • Enterprise-wide lateral movement

2. Microsoft Active Directory Federation Services (AD FS)

Active Directory Federation Services serves as the authentication backbone for many hybrid identity deployments.

An exploited weakness within AD FS can enable attackers to manipulate authentication processes, potentially bypassing trust relationships or escalating privileges.

Compromise of an identity provider is often far more damaging than compromise of an individual endpoint because it enables attackers to impersonate legitimate users across multiple applications.

3. SonicWall SMA1000 – Server-Side Request Forgery (CVE-2026-15409)

SonicWall Secure Mobile Access appliances continue to be attractive targets because they are internet-facing remote access gateways.

This SSRF vulnerability allows attackers to manipulate server-side requests, potentially accessing internal services that would otherwise remain unreachable.

Attackers frequently leverage SSRF vulnerabilities to:

  • Enumerate internal infrastructure
  • Access cloud metadata services
  • Pivot toward internal applications
  • Chain attacks with privilege escalation flaws

4. SonicWall SMA1000 – Code Injection (CVE-2026-15410)

Even more concerning is the companion code injection vulnerability affecting the same platform.

Successful exploitation may permit arbitrary command execution on the appliance itself, providing attackers with persistent access to remote access infrastructure.

VPN appliances remain attractive ransomware entry points because they often bridge external users with internal enterprise networks.

5. Cisco IOS Cross-Site Request Forgery (CVE-2008-4128)

Perhaps the most surprising KEV addition is a vulnerability originally disclosed 18 years ago.

The inclusion of a legacy Cisco IOS CSRF vulnerability illustrates an important lesson:

Age does not eliminate risk.

Organizations frequently continue operating older networking equipment long after vendors stop emphasizing associated vulnerabilities.

Threat actors actively exploit these forgotten weaknesses whenever vulnerable devices remain exposed.

This addition reinforces that asset lifecycle management is just as important as vulnerability management.

6. KNX Secure Authorization Bypass (CVE-2023-4346)

KNX is widely deployed across modern smart buildings for:

  • Lighting
  • HVAC
  • Building automation
  • Physical access systems
  • Environmental controls

An authorization bypass affecting KNX Secure demonstrates the growing convergence between cybersecurity and operational technology.

Compromise of building automation systems may enable attackers to:

  • Disable environmental controls
  • Manipulate building operations
  • Support physical intrusion
  • Disrupt business continuity

As smart buildings become increasingly connected, these systems should be considered part of an organization’s attack surface.

7. Oracle E-Business Suite Improper Privilege Management (CVE-2026-46817)

Oracle E-Business Suite remains a mission-critical ERP platform across government agencies and large enterprises.

Privilege management flaws within ERP environments can expose:

  • Financial records
  • Payroll systems
  • Procurement workflows
  • Human Resources information
  • Enterprise business processes

Unlike traditional infrastructure attacks, ERP compromises directly impact core business operations.

Key Observations

Several notable trends emerge from these eight additions.

Identity Infrastructure Remains a Prime Target

AD FS continues to demonstrate that identity systems remain one of the most valuable assets for attackers. Once identity infrastructure is compromised, traditional security boundaries become far less effective.

Remote Access Appliances Continue to Be Exploited

VPN and secure access appliances remain frequent ransomware entry points because they provide direct access into enterprise environments.

Enterprise Applications Are Increasingly Under Attack

Business-critical platforms like SharePoint and Oracle E-Business Suite are now primary targets rather than secondary objectives.

Operational Technology Is No Longer Isolated

The inclusion of KNX Secure highlights how building automation systems have become part of the modern cyber attack surface.

Legacy Vulnerabilities Never Truly Disappear

The addition of an 18-year-old Cisco IOS vulnerability demonstrates that unsupported infrastructure continues to create exploitable opportunities years after disclosure.

Defensive Recommendations

Organizations should immediately:

  • Inventory affected products across enterprise environments.
  • Prioritize remediation for all KEV-listed vulnerabilities regardless of CVSS score.
  • Patch internet-facing SharePoint servers without delay.
  • Update SonicWall SMA1000 appliances to the latest supported version.
  • Review AD FS logs for suspicious authentication activity.
  • Assess Oracle E-Business Suite privilege configurations.
  • Identify legacy Cisco IOS devices still in production.
  • Include building automation systems such as KNX within enterprise vulnerability management and attack surface management programs.
  • Hunt for indicators of compromise before assuming systems are unaffected.

Final Thoughts

The July 14–15 KEV additions illustrate how modern cyber threats span every layer of enterprise technology—from collaboration platforms and identity providers to VPN gateways, ERP systems, networking equipment, and smart building infrastructure.

Perhaps the most important lesson is that active exploitation—not CVSS score or disclosure date—should drive remediation priorities. Whether a vulnerability was disclosed this month or nearly two decades ago, its presence in the KEV Catalog signals that attackers are already using it successfully. For defenders, every KEV update is a clear call to reassess exposure, accelerate patching, and verify that critical assets are not only updated but continuously monitored for signs of compromise.

Comments

No comments yet. Why don’t you start the discussion?

    Leave a Reply

    This site uses Akismet to reduce spam. Learn how your comment data is processed.