CISA KEV Alert: 20 New Actively Exploited CVEs Added — 2026-05-01

[INTEL_REF: KEV-2026-05-01] CISA Known Exploited Vulnerabilities Briefing

CLASSIFICATION: ACTIVE EXPLOITATION CONFIRMED — IMMEDIATE ACTION REQUIRED

The Cybersecurity and Infrastructure Security Agency has added 20 new vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog as of 2026-05-01. The KEV catalog is not a theoretical risk list — it is CISA's confirmed record of vulnerabilities that adversaries are actively weaponizing right now, against real targets, in production environments. Every entry carries the full weight of BOD 22-01 for federal agencies and represents best-practice urgent remediation guidance for all enterprises.

Understanding what makes a KEV entry significant: CISA only adds a vulnerability when there is credible, technical evidence of active in-the-wild exploitation. This means threat actors have working exploit code, are scanning for vulnerable systems, and are successfully compromising them. The patching window is not measured in weeks — it is measured in hours for internet-exposed systems.

AI Team Transmission Log

[CSET AI — NIST COMPLIANCE FEED]
New KEV Entries: 20
Critical Severity: 2
High Severity: 8
Federal Mandate: BOD 22-01 — agencies must remediate by published due dates
Enterprise Guidance: NIST CSF Respond/Recover functions activated
MITRE Coverage: T1190 (Exploit Public-Facing), T1133 (External Remote Services)

[TERMINAL — RAPID EXPOSURE SCAN]
> # Identify affected systems in your environment:
> grep -ri 'cpanel&whman' /etc/hosts /etc/fstab /var/log/ 2>/dev/null
> grep -ri 'screenconnec' /etc/hosts /etc/fstab /var/log/ 2>/dev/null
> grep -ri 'windows' /etc/hosts /etc/fstab /var/log/ 2>/dev/null
> shodan search 'product:cPanel country:US' --fields ip_str,port,org
> nmap -sV --script vuln -p 443,8080,8443,22 <affected_subnet>

[FLIC — GOVERNANCE STATUS]
Risk level elevated. C-suite notification recommended for Critical-severity entries.
Insurance carriers require documentation of KEV remediation within 30 days for policy compliance.
Vendor advisories linked below — assign tickets before end of business today.

🔴 Critical Severity Exploited Vulnerabilities

🔴 CRITICAL — CVE-2026-41940: WebPros cPanel & WHM and WP2 (WordPress Squared) Missing Authentication for Critical Function Vulnerability

Vendor / Product: WebPros / cPanel & WHM and WP2 (WordPress Squared)
Date Added to KEV: 2026-04-30
Required Action Deadline: 2026-05-03
Known Ransomware Use: Potential / Under Investigation

WebPros cPanel & WHM (WebHost Manager) and WP2 (WordPress Squared) contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-03, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running cPanel & WHM and WP2 (WordPress Squared).

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2026-39987: Marimo Remote Code Execution Vulnerability

Vendor / Product: Marimo / Marimo
Date Added to KEV: 2026-04-23
Required Action Deadline: 2026-05-07
Known Ransomware Use: Potential / Under Investigation

Marimo contains an pre-authorization remote code execution vulnerability, allowing an unauthenticated attacked to shell access and execute arbitrary system commands.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-07, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Marimo.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 High Severity Exploited Vulnerabilities

🟠 HIGH — CVE-2024-1708: ConnectWise ScreenConnect Path Traversal Vulnerability

Vendor / Product: ConnectWise / ScreenConnect
Date Added to KEV: 2026-04-28
Required Action Deadline: 2026-05-12
Known Ransomware Use: Not Confirmed

ConnectWise ScreenConnect contains a path traversal vulnerability which could allow an attacker to execute remote code or directly impact confidential data and critical systems.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-12, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running ScreenConnect.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2026-32202: Microsoft Windows Protection Mechanism Failure Vulnerability

Vendor / Product: Microsoft / Windows
Date Added to KEV: 2026-04-28
Required Action Deadline: 2026-05-12
Known Ransomware Use: Not Confirmed

Microsoft Windows Shell contains a protection mechanism failure vulnerability that allows an unauthorized attacker to perform spoofing over a network.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-12, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Windows.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2025-29635: D-Link DIR-823X Command Injection Vulnerability

Vendor / Product: D-Link / DIR-823X
Date Added to KEV: 2026-04-24
Required Action Deadline: 2026-05-08
Known Ransomware Use: Not Confirmed

D-Link DIR-823X contains a command injection vulnerability that allows an authorized attacker to execute arbitrary commands on remote devices by sending a POST request to /goform/set_prohibiting via the corresponding function. The impacted product could be end-of-life (EoL) and/or end-of-service (EoS). Users should discontinue product utilization.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-08, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running DIR-823X.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2024-7399: Samsung MagicINFO 9 Server Path Traversal Vulnerability

Vendor / Product: Samsung / MagicINFO 9 Server
Date Added to KEV: 2026-04-24
Required Action Deadline: 2026-05-08
Known Ransomware Use: Not Confirmed

Samsung MagicINFO 9 Server contains a path traversal vulnerability that could allow an attacker to write arbitrary files as system authority.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-08, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running MagicINFO 9 Server.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2024-57728: SimpleHelp Path Traversal Vulnerability

Vendor / Product: SimpleHelp / SimpleHelp
Date Added to KEV: 2026-04-24
Required Action Deadline: 2026-05-08
Known Ransomware Use: Not Confirmed

SimpleHelp contains a path traversal vulnerability that allows admin users to upload arbitrary files anywhere on the file system by uploading a crafted zip file (i.e. zip slip). This can be exploited to execute arbitrary code on the host in the context of the SimpleHelp server user.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-08, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running SimpleHelp.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2024-57726: SimpleHelp Missing Authorization Vulnerability

Vendor / Product: SimpleHelp / SimpleHelp
Date Added to KEV: 2026-04-24
Required Action Deadline: 2026-05-08
Known Ransomware Use: Not Confirmed

SimpleHelp contains a missing authorization vulnerability that could allow low-privileged technicians to create API keys with excessive permissions. These API keys can be used to escalate privileges to the server admin role.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-08, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running SimpleHelp.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2026-33825: Microsoft Defender Insufficient Granularity of Access Control Vulnerability

Vendor / Product: Microsoft / Defender
Date Added to KEV: 2026-04-22
Required Action Deadline: 2026-05-06
Known Ransomware Use: Not Confirmed

Microsoft Defender contains an insufficient granularity of access control vulnerability that could allow an authorized attacker to escalate privileges locally.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-06, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Defender.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2026-20122: Cisco Catalyst SD-WAN Manager Incorrect Use of Privileged APIs Vulnerability

Vendor / Product: Cisco / Catalyst SD-WAN Manger
Date Added to KEV: 2026-04-20
Required Action Deadline: 2026-04-23
Known Ransomware Use: Not Confirmed

Cisco Catalyst SD-WAN Manager contains an incorrect use of privileged APIs vulnerability due to improper file handling on the API interface of an affected system. An attacker could exploit this vulnerability by uploading a malicious file on the local file system. A successful exploit could allow the attacker to overwrite arbitrary files on the affected system and gain vmanage user privileges.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-04-23, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Catalyst SD-WAN Manger.

Required Action: Please adhere to CISA’s guidelines to assess exposure and mitigate risks associated with Cisco SD-WAN devices as outlines in CISA’s Emergency Directive 26-03 (URL listed below in Notes) and CISA’s “Hunt & Hardening Guidance for Cisco SD-WAN Devices (URL listed below in Notes). Adhere to the applicable BOD 22-01 guidance for cloud services or discontinue use of the product if mitigations are not available.

MITRE ATT&CK Threat Matrix

| CVE ID | Affected Product | Primary Technique | Mitigation Strategy | |--------|-----------------|-------------------|--------------------| | CVE-2026-41940 | cPanel & WHM and WP2 (WordPress Squared) | T1190 Exploit Public-Facing App | Patch / Isolate | | CVE-2024-1708 | ScreenConnect | T1190 Exploit Public-Facing App | Patch / Isolate | | CVE-2026-32202 | Windows | T1190 Exploit Public-Facing App | Patch / Isolate |

All listed vulnerabilities map primarily to T1190 — Exploit Public-Facing Application, which is one of the most heavily abused initial access techniques in 2026 ransomware and nation-state campaigns. When adversaries find a KEV-listed vulnerability in your environment before you patch it, the typical exploitation timeline from initial access to ransomware deployment is now measured in hours — not days.

FLLC Operational Response Playbook

This is not a theoretical checklist. These are the exact steps your security operations team should execute within the first 24 hours of learning about an active KEV entry that affects your environment.

Phase 1: Asset Discovery (0–2 Hours)

1. Run an immediate asset query — Query your CMDB, vulnerability scanner, and network inventory for any system running the affected vendor products. Do not rely on memory or manual inventory — use automated tooling.
2. Identify internet-exposed instances — Cross-reference your internet-facing asset inventory against affected product names. Any public-facing instance of an affected product should be treated as critically at risk until patched or isolated.
3. Check cloud and SaaS deployments — Many enterprises have forgotten cloud-hosted instances, contractor environments, or development servers running the same software. Include AWS, Azure, and GCP asset inventories in your scope.

Phase 2: Immediate Risk Reduction (2–6 Hours)

4. Apply vendor patches — Check each vendor's security advisory page for emergency patches. Validate patch integrity using published checksums before applying. If patches are unavailable, proceed to step 5.
5. Implement compensating controls — If immediate patching is not feasible: (a) restrict access to affected services to VPN-only, (b) deploy WAF rules blocking known exploit patterns if available, (c) increase logging verbosity on affected systems.
6. Rotate credentials on affected systems — Assume that any internet-exposed affected system may have already been compromised. Pre-emptively rotate service account passwords, API keys, and admin credentials.

Phase 3: Detection and Hunting (6–24 Hours)

7. Deploy detection rules — Check your EDR vendor and SIEM for published detection signatures specific to the CVE IDs listed above. GreyNoise, Emerging Threats, and your threat intelligence platform should have exploitation signatures within hours of KEV publication.
8. Conduct threat hunt — Search your SIEM and EDR telemetry for indicators of compromise: anomalous process creation from service processes, new outbound connections from affected services, creation of new privileged accounts, and unusual file system writes in application directories.
9. Review logs for exploitation attempts — Analyze HTTP access logs, authentication logs, and network flow data for patterns matching known exploitation indicators for these CVEs.

Why KEV Entries Are the Highest-Priority Vulnerabilities

With thousands of CVEs published each year, security teams face impossible prioritization demands. The KEV catalog solves this: it is CISA's curated list of the vulnerabilities that real threat actors have decided are worth weaponizing. If you only have capacity to patch 10 vulnerabilities this week, KEV entries should account for all 10.

The statistics are stark: vulnerabilities in the KEV catalog are exploited at rates 2-7x higher than non-KEV vulnerabilities within 30 days of publication. They appear in ransomware kill chains, nation-state intrusion sets, and mass exploitation campaigns at dramatically higher rates than their CVSS scores alone would predict. CVSS measures technical severity — KEV measures operational threat reality.

Resources and Further Reading

• CISA KEV Catalog — Full Listing
• BOD 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
• NVD CVE Search
• MITRE ATT&CK T1190
• FLLC Cyber Arsenal — Vulnerability Management Tools
• FLLC Intelligence Hub — Live Threat Feed

AUTHORIZATION_ID: FLLC-KEV-2026-05-01 FLLC CVE Intelligence Pipeline | Data sourced directly from CISA KEV. Briefing auto-generated at 2026-05-01T07:43:57.854Z.

"The KEV catalog is CISA's way of saying: we have seen adversaries use this exact flaw to break into real organizations. Patch it now. Not this sprint. Now." — FLLC Lead Analyst