πŸ”¬ Assessment

CISA KEV June 2026 Tracker: Vulnerability Additions, BOD 22-01 Deadlines, and Remediation Priorities

The CISA Known Exploited Vulnerabilities catalogue added three entries in the first week of June 2026, including the Oracle WebLogic deserialization vulnerability (CVE-2024-21182) and the Mirasvit Magento RCE (CVE-2026-45247). This tracker consolidates the June additions with their remediation deadlines and documents the patch availability status for each.

4 min read
#cisa-kev#vulnerability-management#bod-22-01#remediation#patch-management#june-2026#compliance

The CISA Known Exploited Vulnerabilities (KEV) catalogue is the most operationally focused vulnerability prioritisation resource available to enterprise security teams β€” it documents CVEs with confirmed active exploitation and assigns remediation deadlines for federal civilian agencies under Binding Operational Directive 22-01. Commercial organisations are not directly bound by BOD 22-01, but the KEV is widely used as a contractual and regulatory remediation baseline.

This tracker consolidates the June 2026 KEV additions through 5 June, documents patch availability, and provides remediation guidance for each.

June 2026 KEV Additions (Through 5 June)

CVE-2024-21182 β€” Oracle WebLogic Server RCE

Added to KEV: 1 June 2026
BOD 22-01 Remediation Deadline: 22 June 2026
Vendor: Oracle
Product: WebLogic Server
Versions affected: 12.2.1.4.0, 14.1.1.0.0
CVSS Score: 7.5 (HIGH)
Vulnerability type: Unauthenticated remote code execution via Java deserialization over T3/IIOP protocols
Patch available: Yes β€” Oracle January 2024 Critical Patch Update
Exploitation evidence: Ransomware campaigns targeting financial services, healthcare, and government WebLogic deployments

Remediation:

  1. Apply Oracle January 2024 Critical Patch Update (or later CPU) β€” available from Oracle My Oracle Support
  2. If CPU cannot be applied immediately: block external access to T3 (TCP 7001/7002) and IIOP (TCP 2809) at the perimeter firewall
  3. If WebLogic does not use T3 for EJB/JMS: disable the T3 protocol in the WebLogic console

Assessment note: CVE-2024-21182 was patched in January 2024 β€” over 17 months before CISA’s KEV addition. Any organisation still running unpatched WebLogic should treat this as an emergency remediation given confirmed ransomware exploitation.

CVE-2026-45247 β€” Mirasvit Full Page Cache Warmer for Magento 2 RCE

Added to KEV: 3 June 2026
BOD 22-01 Remediation Deadline: 24 June 2026
Vendor: Mirasvit
Product: Full Page Cache Warmer for Magento 2
Versions affected: All versions prior to 1.11.12
CVSS Score: 9.8 (CRITICAL)
Vulnerability type: Unauthenticated PHP deserialization via cookie value, leading to remote code execution
Patch available: Yes β€” Mirasvit FPC Warmer v1.11.12 (released 25 May 2026)
Exploitation evidence: Active exploitation confirmed by CISA; Magecart-style and credential harvesting payloads observed

Remediation:

  1. Update Mirasvit Full Page Cache Warmer to v1.11.12 or later
  2. If immediate patching not possible: disable the extension (bin/magento module:disable Mirasvit_CacheWarmer)
  3. Review server logs and pub/static/ directory for indicators of prior compromise

CVE-2026-46243 β€” Linux Kernel CIFS Subsystem Local Privilege Escalation

Added to RHSB/distro advisories: 3 June 2026 (KEV pending formal addition as of 5 June)
Vendor: Linux kernel / all major distributions
Products affected: All Linux systems with cifs-utils installed, kernels prior to patched versions
CVSS Score: Pending NVD scoring; distro advisories rate as Important/High
Vulnerability type: Local privilege escalation via forged CIFS upcall key; unprivileged user to root
Patch available: Yes β€” distribution kernel updates available as of 2–3 June
Exploitation evidence: Public PoC available; exploitation timeline estimated within days

Remediation:

  1. Apply distribution kernel security updates (requires reboot to take effect)
  2. Prioritise multi-user systems, jump hosts, CI/CD runners, and container nodes
  3. Temporary mitigation: chmod 000 /usr/sbin/cifs.upcall

Monitoring KEV Additions

CISA publishes KEV updates on no fixed schedule β€” additions can occur multiple times per week when exploitation evidence confirms active targeting. Recommended monitoring approaches:

RSS/Atom feed: CISA publishes a JSON file of the complete KEV catalogue at https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json β€” monitoring this file for new entries provides real-time KEV tracking.

Automation: The CISA KEV can be queried programmatically. Integrating KEV data into a vulnerability management platform (Qualys, Tenable, Rapid7) or SIEM allows correlation of KEV additions against the asset inventory automatically.

Email notifications: CISA’s US-CERT alert mailing list includes KEV addition announcements β€” subscribe at cisa.gov/uscert/mailing-lists-and-feeds.

BOD 22-01 Compliance for Federal Agencies

Federal civilian executive branch (FCEB) agencies are required under BOD 22-01 to remediate KEV-listed vulnerabilities within the deadlines specified in the catalogue. As of 5 June, the active open deadlines are:

  • CVE-2024-21182 (Oracle WebLogic): 22 June 2026
  • CVE-2026-45247 (Mirasvit Magento): 24 June 2026
  • All KEV entries from prior months with unmet deadlines

FCEB agencies should audit their WebLogic and Magento deployments against these deadlines immediately and escalate any remediation blockers to the CISO level.

Share this article