CISA Sounds the Alarm: 7 New Exploited Flaws Added to KEV Catalog (Including 15-Year-Old Flaws)
The Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog, adding seven vulnerabilities that threat actors are actively weaponizing in the wild.
While KEV updates usually focus entirely on modern zero-days, this latest release contains a fascinating and alarming mix: two brand-new 2026 flaws in Microsoft Defender, alongside five legacy vulnerabilities dating back as far as 2008. The inclusion of these older flaws serves as a stark reminder that attackers don’t always need cutting-edge exploits; if an organization leaves ancient software unpatched, adversaries will gladly use a 15-year-old blueprint to break in.
Here is a breakdown of what was added, the architectural impact, and the remediation deadlines.
The Breakdown: What’s on the List?
1. The Modern Targets: Microsoft Defender (2026 Flaws)
Attackers are actively targeting modern endpoint security tooling, focusing on two freshly discovered vulnerabilities in Microsoft’s default security engine:
CVE-2026-41091 (Microsoft Defender Elevation of Privilege): Allows local attackers to bypass security boundaries and elevate privileges to system-level permissions.
CVE-2026-45498 (Microsoft Defender Denial of Service): Allows remote or local adversaries to trigger a DoS state, effectively disabling the antivirus/endpoint protection engine on targeted machines.
2. The Legacy Targets: Unpatched Technical Debt (2008–2010 Flaws)
The remaining five additions target highly specific legacy infrastructure, old document parsers, and deprecated browser components that are still lingering on enterprise networks:
CVE-2008-4250 (Microsoft Windows Buffer Overflow): One of the most infamous remote code execution (RCE) flaws in Windows history (historically leveraged by the Conficker worm).
CVE-2009-1537 (Microsoft DirectX NULL Byte Overwrite): A media streaming/rendering vulnerability that allows execution of arbitrary code via malicious web content or files.
CVE-2009-3459 (Adobe Acrobat and Reader Heap Overflow): Targets memory allocation vulnerabilities in ancient versions of Adobe PDF readers.
CVE-2010-0249 & CVE-2010-0806 (Microsoft Internet Explorer Use-After-Free): Memory corruption bugs affecting legacy browser engines, allowing remote code execution if a user visits a poisoned page.
Why Is This Happening Now?
SecOps teams often ask: Why are we seeing active exploitation of a 2008 flaw today? The reality of enterprise networks is that technical debt dies hard. Legacy manufacturing environments, specialized healthcare machines, and industrial control systems (ICS) often rely on deprecated operating systems or outdated software dependencies that cannot be upgraded without breaking operations.
Threat actors routinely scan internal networks post-compromise for these specific legacy gaps, knowing they provide an easy, reliable path to lateral movement and privilege escalation without triggering modern heuristics.
Required Actions & Compliance Deadlines
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are legally mandated to remediate these specific vulnerabilities within a strict window (typically 3 weeks from the announcement).
For Commercial Organizations, DevOps, and SysAdmins:
While BOD 22-01 only legally binds US federal agencies, CISA’s KEV catalog is widely accepted as the industry-standard benchmark for prioritization. If a vulnerability is in the KEV, it means it is being successfully exploited right now.
Audit Defender Installations: Ensure Microsoft Defender definitions and engine updates are deploying properly across your fleet to neutralize the 2026 bugs.
Purge Legacy Technical Debt: Scan internal subnets and air-gapped segments for any lingering Windows instances or deprecated applications running old Internet Explorer or DirectX dependencies.
Isolate Irreplaceable Systems: If an operational system must run software vulnerable to these legacy CVEs, remove its internet access entirely and implement strict micro-segmentation to block lateral movement.
Over to You
How much legacy software is still hiding in your infrastructure? Do old flaws like these show up on your internal vulnerability scans? Let’s talk strategy in the comments below!
