CISAβs Known Exploited Vulnerabilities catalogue documents vulnerabilities with confirmed exploitation in the wild. For federal civilian executive branch agencies, KEV items carry mandatory remediation deadlines. For private sector organisations, the KEV is the highest-confidence signal available that a vulnerability is being actively used in attacks β and therefore the highest-priority remediation category.
May 2026 added a broad range of KEV items across software, firmware, and network categories. This guide organises them by remediation pathway.
Network Appliance KEV Additions
CVE-2026-3055 β Citrix NetScaler ADC/Gateway SAML IDP (CVSSv4 9.3)
- Why itβs on KEV: Large-scale exploitation confirmed by multiple threat intelligence sources; first added to KEV in April after initial targeted exploitation
- Remediation: Upgrade NetScaler firmware to patched versions per CTX-2026-3055. Appliances with SAML IDP configured and internet-accessible during the exposure window should be treated as potentially compromised.
- KEV deadline for FCEB: Verify remediation status
CVE-2026-0257 β Palo Alto PAN-OS GlobalProtect
- Why itβs on KEV: Second exploitation wave confirmed in May after initial CISA KEV addition in April
- Remediation: Upgrade PAN-OS to patched version; see Palo Alto advisory
- KEV deadline for FCEB: Previously issued; verify completion
Developer Environment KEV Additions (27 May)
CVE-2026-8398 β DAEMON Tools Signed Installer Trojanisation
- Remediation pathway: Verify DAEMON Tools installer authenticity via code signing certificate; check for malicious post-installation processes from developer workstations; rotate developer credentials if DAEMON Tools was recently installed from unofficial sources
CVE-2026-45321 β TanStack Query npm Package
- Remediation pathway: Audit
package-lock.jsonfor non-official TanStack publishers; runnpm audit; check for unexpected post-install scripts innode_modules/@tanstack/react-query/; rotate npm tokens and cloud credentials from affected developers
CVE-2026-48027 β Nx Console VS Marketplace Extension
- Remediation pathway: Remove Nx Console extensions from all developer machines; verify publisher ID before reinstalling (
nrwl.angular-console); rotate credentials accessible from affected developer workstations; check VS Code extension telemetry for data exfiltration indicators
Microsoft Windows KEV Additions
CVE-2026-41091 β Microsoft Defender Zero-Day (May Patch Tuesday)
- Remediation: Windows Update β included in May 2026 Patch Tuesday; verify Defender platform version is updated alongside OS patches
CVE-2026-41089 β Windows Netlogon RCE (CVSS 9.8, confirmed exploitation 29 May)
- Remediation: Apply security update to all domain controllers immediately; verify with
systeminfo | findstr KBagainst the expected KB number; investigate for post-exploitation indicators
KEV Tracking Recommendations
For private sector organisations, a KEV-driven vulnerability management process includes:
-
Subscribe to KEV RSS/API updates:
https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.jsonβ integrate into your vulnerability management platform or SIEM -
Define a KEV SLA separate from CVSS-only SLAs: KEV items should have a shorter remediation deadline than their CVSS score alone would suggest, because confirmation of active exploitation changes the risk calculus materially
-
Report KEV coverage to leadership: Track what percentage of KEV items in your environment are remediated within your KEV SLA. This is a single, meaningful metric that boards and regulators understand β βwe remediated X% of known exploited vulnerabilities within our 14-day SLAβ
-
Use KEV as a threat intelligence signal: KEV additions often precede broader exploitation waves. When CISA adds a vulnerability to KEV, treat it as an early warning that exploitation will expand in the near term, even if the initial exploitation was targeted
Share this article