The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added seven Microsoft and Adobe vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in real-world attacks. The update spans flaws dating back to 2008, including a critical Windows Server buffer overflow and multiple Internet Explorer use-after-free vulnerabilities. Federal agencies must remediate all listed flaws by June 3, 2026.
The oldest entry, CVE-2008-4250, carries a CVSS v3.1 score of 9.8 and affects the Microsoft Windows Server service. The vulnerability allows remote code execution through crafted RPC requests that trigger a buffer overflow during path canonicalization, requiring no authentication. It impacts legacy systems including Windows XP, Server 2003, Vista, and Server 2008.
Also added are CVE-2009-1537, a DirectX NULL byte overwrite flaw (CVSS 9.3) exploitable through crafted QuickTime media files, and CVE-2009-3459, a heap-based buffer overflow in Adobe Acrobat and Reader (CVSS 9.3) triggered by malicious PDFs. Two Internet Explorer use-after-free vulnerabilities from 2010 were included — CVE-2010-0249 and CVE-2010-0806, both rated 9.3. The latter was previously exploited as a zero-day by the APT group GREF.
Two newer Microsoft Defender flaws round out the update. CVE-2026-41091 (CVSS 7.8) is an elevation of privilege vulnerability that could allow local attackers to gain higher system access. CVE-2026-45498 (CVSS 6.5) is a denial-of-service flaw that could render Defender security services unresponsive.
CISA's KEV catalog operates under Binding Operational Directive 22-01, which requires federal agencies to patch listed vulnerabilities within mandated deadlines. The catalog has become a reference point for private sector vulnerability management as well, with organisations using it to prioritise remediation based on confirmed exploitation rather than theoretical severity scores alone.
For security teams, the update underscores the need to maintain inventories of legacy systems and applications that may still be in production. The presence of nearly two-decade-old flaws in the KEV catalog demonstrates that attackers continue to target unpatched infrastructure, and that delayed remediation of older vulnerabilities remains a measurable risk.
美國網絡安全及基礎設施安全局(CISA)已將七項 Microsoft 及 Adobe 漏洞加入其「已知遭利用漏洞」(KEV)目錄,確認這些漏洞於真實攻擊中遭持續利用。是次更新涵蓋追溯至 2008 年的缺陷,包括一項嚴重的 Windows Server 緩衝區溢位漏洞及多項 Internet Explorer use-after-free 漏洞。聯邦機構必須於 2026 年 6 月 3 日前修補所有所列漏洞。
最舊的條目 CVE-2008-4250 在 CVSS v3.1 評分中達 9.8 分,影響 Microsoft Windows Server 服務。該漏洞允許攻擊者透過精心構造的 RPC 請求執行遠程代碼,這些請求會在路徑標準化過程中觸發緩衝區溢位,且無需身份驗證。受影響的舊版系統包括 Windows XP、Server 2003、Vista 及 Server 2008。
是次更新亦包括 CVE-2009-1537,一項 DirectX NULL 字節覆蓋缺陷(CVSS 9.3),可透過精心構造的 QuickTime 媒體檔案利用;以及 CVE-2009-3459,Adobe Acrobat 及 Reader 中的堆積緩衝區溢位漏洞(CVSS 9.3),由惡意 PDF 觸發。此外納入兩項 2010 年的 Internet Explorer use-after-free 漏洞——CVE-2010-0249 及 CVE-2010-0806,兩者評級均為 9.3。後者曾被 APT 組織 GREF 作為零日漏洞利用。
兩項較新的 Microsoft Defender 漏洞完成是次更新。CVE-2026-41091(CVSS 7.8)為權限提升漏洞,可能讓本地攻擊者取得更高系統權限。CVE-2026-45498(CVSS 6.5)為拒絕服務漏洞,可能導致 Defender 安全服務失去回應。
CISA 的 KEV 目錄依據約束性營運指令 22-01 運作,規定聯邦機構須於指定限期內修補所列漏洞。該目錄亦已成為私營機構漏洞管理的參考標準,機構藉此按已確認的利用情況而非純粹理論嚴重程度評分來排列修補優先次序。
對保安團隊而言,是次更新突顯有必要盤點仍於生產環境中運作的舊版系統及應用程式。KEV 目錄收錄相距近二十年的漏洞,反映攻擊者持續針對未修補的基礎設施,而延遲處理舊漏洞仍然是可量化的風險。