CISA KEV Alert: 20 New Actively Exploited CVEs Added — 2026-06-06

[INTEL_REF: KEV-2026-06-06] CISA Known Exploited Vulnerabilities Briefing

CLASSIFICATION: ACTIVE EXPLOITATION CONFIRMED — IMMEDIATE ACTION REQUIRED

The Cybersecurity and Infrastructure Security Agency has added 20 new vulnerabilities to the Known Exploited Vulnerabilities (KEV) catalog as of 2026-06-06. The KEV catalog is not a theoretical risk list — it is CISA's confirmed record of vulnerabilities that adversaries are actively weaponizing right now, against real targets, in production environments. Every entry carries the full weight of BOD 22-01 for federal agencies and represents best-practice urgent remediation guidance for all enterprises.

Understanding what makes a KEV entry significant: CISA only adds a vulnerability when there is credible, technical evidence of active in-the-wild exploitation. This means threat actors have working exploit code, are scanning for vulnerable systems, and are successfully compromising them. The patching window is not measured in weeks — it is measured in hours for internet-exposed systems.

AI Team Transmission Log

[CSET AI — NIST COMPLIANCE FEED]
New KEV Entries: 20
Critical Severity: 8
High Severity: 2
Federal Mandate: BOD 22-01 — agencies must remediate by published due dates
Enterprise Guidance: NIST CSF Respond/Recover functions activated
MITRE Coverage: T1190 (Exploit Public-Facing), T1133 (External Remote Services)

[TERMINAL — RAPID EXPOSURE SCAN]
> # Identify affected systems in your environment:
> grep -ri 'serv-u' /etc/hosts /etc/fstab /var/log/ 2>/dev/null
> grep -ri 'mirasvitfull' /etc/hosts /etc/fstab /var/log/ 2>/dev/null
> grep -ri 'kernel' /etc/hosts /etc/fstab /var/log/ 2>/dev/null
> shodan search 'product:Serv-U country:US' --fields ip_str,port,org
> nmap -sV --script vuln -p 443,8080,8443,22 <affected_subnet>

[FLIC — GOVERNANCE STATUS]
Risk level elevated. C-suite notification recommended for Critical-severity entries.
Insurance carriers require documentation of KEV remediation within 30 days for policy compliance.
Vendor advisories linked below — assign tickets before end of business today.

🔴 Critical Severity Exploited Vulnerabilities

🔴 CRITICAL — CVE-2026-28318: SolarWinds Serv-U Uncontrolled Resource Consumption Vulnerability

Vendor / Product: SolarWinds / Serv-U
Date Added to KEV: 2026-06-05
Required Action Deadline: 2026-06-19
Known Ransomware Use: Potential / Under Investigation

SolarWinds Serv-U contains an uncontrolled resource consumption vulnerability that allows specially crafted POST requests using the Content-Encoding: deflate header to crash the Serv-U service without authentication.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-19, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Serv-U.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2026-45247: Mirasvit Full Page Cache Warmer Deserialization of Untrusted Data Vulnerability

Vendor / Product: Mirasvit / Mirasvit Full Page Cache Warmer
Date Added to KEV: 2026-06-03
Required Action Deadline: 2026-06-06
Known Ransomware Use: Potential / Under Investigation

Mirasvit Full Page Cache Warmer contains a deserialization of untrusted data vulnerability that could allow unauthenticated attackers to achieve remote code execution by supplying a crafted serialized PHP object in the CacheWarmer cookie.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-06, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Mirasvit Full Page Cache Warmer.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2022-0492: Linux Kernel Improper Authentication Vulnerability

Vendor / Product: Linux / Kernel
Date Added to KEV: 2026-06-02
Required Action Deadline: 2026-06-05
Known Ransomware Use: Potential / Under Investigation

Linux Kernel contains an improper authentication vulnerability which could allow for privilege escalation via the cgroups v1 release_agent feature.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-05, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Kernel.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2025-48595: Android Framework Integer Overflow Vulnerability

Vendor / Product: Android / Framework
Date Added to KEV: 2026-06-02
Required Action Deadline: 2026-06-05
Known Ransomware Use: Potential / Under Investigation

Android Framework contains an integer overflow vulnerability that allows for code execution that could allow for local privilege escalation.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-05, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Framework.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2024-21182: Oracle WebLogic Server Unspecified Vulnerability

Vendor / Product: Oracle / WebLogic Server
Date Added to KEV: 2026-06-01
Required Action Deadline: 2026-06-04
Known Ransomware Use: Potential / Under Investigation

Oracle WebLogic contains an unspecified vulnerability that could allow an unauthenticated attacker with network access via T3, IIOP to compromise Oracle WebLogic Server. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-04, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running WebLogic Server.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2026-48027: Nx Console Embedded Malicious Code Vulnerability

Vendor / Product: Nx / Nx Console
Date Added to KEV: 2026-05-27
Required Action Deadline: 2026-06-10
Known Ransomware Use: Potential / Under Investigation

Nx Console contains an embedded malicious code vulnerability that allowed a malicious version of Nx Console to be published. The compromised extension fetched an obfuscated payload that could harvested credentials from multiple sources on disk and in memory.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-10, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Nx Console.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2026-45321: TanStack Unspecified Vulnerability

Vendor / Product: TanStack / TanStack
Date Added to KEV: 2026-05-27
Required Action Deadline: 2026-06-10
Known Ransomware Use: Potential / Under Investigation

TanStack contains an unspecified vulnerability that allowed malicious versions of the product to be published to the npm registry to publish credential-stealing malware under a trusted identity.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-10, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running TanStack.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🔴 CRITICAL — CVE-2026-48172: LiteSpeed cPanel Plugin Privilege Escalation Vulnerability

Vendor / Product: LiteSpeed / cPanel Plugin
Date Added to KEV: 2026-05-26
Required Action Deadline: 2026-05-29
Known Ransomware Use: Potential / Under Investigation

LiteSpeed cPanel Plugin contains privilege escalation vulnerability that is exposed via the user-end cPanel plugin, which can be abused by any cPanel user account to execute arbitrary scripts with root privileges.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-29, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running cPanel Plugin.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 High Severity Exploited Vulnerabilities

🟠 HIGH — CVE-2026-0257: Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

Vendor / Product: Palo Alto Networks / PAN-OS
Date Added to KEV: 2026-05-29
Required Action Deadline: 2026-06-01
Known Ransomware Use: Not Confirmed

Palo Alto Networks PAN-OS contains an authentication bypass vulnerability that allows attackers to bypass security restrictions and establish an unauthorized VPN connection.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-06-01, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running PAN-OS.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

🟠 HIGH — CVE-2026-8398: Daemon Tools Lite Embedded Malicious Code Vulnerability

Vendor / Product: Daemon / Daemon Tools Lite
Date Added to KEV: 2026-05-27
Required Action Deadline: 2026-05-30
Known Ransomware Use: Not Confirmed

Daemon Tools contains an unspecified vulnerability that has a high impact on confidentiality, integrity, and availability.

This vulnerability represents an actively exploited attack path that CISA has confirmed is being used against real targets. The classification in the KEV catalog means this is not a theoretical risk — adversaries have working exploits and are deploying them. Enterprise security teams should treat the remediation deadline as a hard cutoff, not a guideline. If your organization cannot patch by 2026-05-30, implement compensating controls immediately: isolate affected systems, restrict network access, and increase monitoring sensitivity on any endpoint running Daemon Tools Lite.

Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.

MITRE ATT&CK Threat Matrix

| CVE ID | Affected Product | Primary Technique | Mitigation Strategy | |--------|-----------------|-------------------|--------------------| | CVE-2026-28318 | Serv-U | T1190 Exploit Public-Facing App | Patch / Isolate | | CVE-2026-45247 | Mirasvit Full Page Cache Warmer | T1190 Exploit Public-Facing App | Patch / Isolate | | CVE-2022-0492 | Kernel | T1190 Exploit Public-Facing App | Patch / Isolate |

All listed vulnerabilities map primarily to T1190 — Exploit Public-Facing Application, which is one of the most heavily abused initial access techniques in 2026 ransomware and nation-state campaigns. When adversaries find a KEV-listed vulnerability in your environment before you patch it, the typical exploitation timeline from initial access to ransomware deployment is now measured in hours — not days.

FLLC Operational Response Playbook

This is not a theoretical checklist. These are the exact steps your security operations team should execute within the first 24 hours of learning about an active KEV entry that affects your environment.

Phase 1: Asset Discovery (0–2 Hours)

1. Run an immediate asset query — Query your CMDB, vulnerability scanner, and network inventory for any system running the affected vendor products. Do not rely on memory or manual inventory — use automated tooling.
2. Identify internet-exposed instances — Cross-reference your internet-facing asset inventory against affected product names. Any public-facing instance of an affected product should be treated as critically at risk until patched or isolated.
3. Check cloud and SaaS deployments — Many enterprises have forgotten cloud-hosted instances, contractor environments, or development servers running the same software. Include AWS, Azure, and GCP asset inventories in your scope.

Phase 2: Immediate Risk Reduction (2–6 Hours)

4. Apply vendor patches — Check each vendor's security advisory page for emergency patches. Validate patch integrity using published checksums before applying. If patches are unavailable, proceed to step 5.
5. Implement compensating controls — If immediate patching is not feasible: (a) restrict access to affected services to VPN-only, (b) deploy WAF rules blocking known exploit patterns if available, (c) increase logging verbosity on affected systems.
6. Rotate credentials on affected systems — Assume that any internet-exposed affected system may have already been compromised. Pre-emptively rotate service account passwords, API keys, and admin credentials.

Phase 3: Detection and Hunting (6–24 Hours)

7. Deploy detection rules — Check your EDR vendor and SIEM for published detection signatures specific to the CVE IDs listed above. GreyNoise, Emerging Threats, and your threat intelligence platform should have exploitation signatures within hours of KEV publication.
8. Conduct threat hunt — Search your SIEM and EDR telemetry for indicators of compromise: anomalous process creation from service processes, new outbound connections from affected services, creation of new privileged accounts, and unusual file system writes in application directories.
9. Review logs for exploitation attempts — Analyze HTTP access logs, authentication logs, and network flow data for patterns matching known exploitation indicators for these CVEs.

Why KEV Entries Are the Highest-Priority Vulnerabilities

With thousands of CVEs published each year, security teams face impossible prioritization demands. The KEV catalog solves this: it is CISA's curated list of the vulnerabilities that real threat actors have decided are worth weaponizing. If you only have capacity to patch 10 vulnerabilities this week, KEV entries should account for all 10.

The statistics are stark: vulnerabilities in the KEV catalog are exploited at rates 2-7x higher than non-KEV vulnerabilities within 30 days of publication. They appear in ransomware kill chains, nation-state intrusion sets, and mass exploitation campaigns at dramatically higher rates than their CVSS scores alone would predict. CVSS measures technical severity — KEV measures operational threat reality.

Resources and Further Reading

• CISA KEV Catalog — Full Listing
• BOD 22-01 — Reducing the Significant Risk of Known Exploited Vulnerabilities
• NVD CVE Search
• MITRE ATT&CK T1190
• FLLC Cyber Arsenal — Vulnerability Management Tools
• FLLC Intelligence Hub — Live Threat Feed

AUTHORIZATION_ID: FLLC-KEV-2026-06-06 FLLC CVE Intelligence Pipeline | Data sourced directly from CISA KEV. Briefing auto-generated at 2026-06-06T07:56:07.864Z.

"The KEV catalog is CISA's way of saying: we have seen adversaries use this exact flaw to break into real organizations. Patch it now. Not this sprint. Now." — FLLC Lead Analyst