The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has expanded its Known Exploited Vulnerabilities (KEV) catalog with a fresh batch of security flaws affecting widely used desktop and developer tools, including Daemon Tools, TanStack, and Nx Console, as well as Windows Shell and ConnectWise ScreenConnect.
According to Security Affairs, which reported the update on 28 May 2026, the newly cataloged vulnerabilities all carry evidence of active exploitation in the wild. Under binding operational directive BOD 22-01, federal civilian agencies are required to remediate or mitigate KEV-listed flaws within specified timeframes, making prompt patching a compliance obligation rather than a best practice.
Developer Workflows in the Crosshairs
The inclusion of TanStack and Nx Console is particularly noteworthy. TanStack — the open-source library suite behind TanStack Query and TanStack Router — has seen widespread adoption across the JavaScript and TypeScript ecosystem, with its packages collectively recording tens of millions of weekly downloads on npm. Nx Console, an extension for the Nx build system used extensively in enterprise monorepo workflows, similarly sits at the heart of many organisations' CI/CD pipelines.
A vulnerability in either of these tools poses a serious software supply chain risk. If an attacker can exploit a flaw in a library or IDE extension that developers trust and integrate directly into their build processes, the potential for downstream compromise of applications and deployment pipelines grows significantly.
Desktop Software and Remote Access Tools Under Fire
Daemon Tools, a long-standing disc imaging and virtual drive utility, carries a substantial installed base across both consumer and enterprise workstations. That ubiquity makes it a practical foothold for attackers — a single exploited flaw can grant access across thousands of endpoints with minimal reconnaissance.
ConnectWise ScreenConnect, which also appears in this round of KEV additions, is no stranger to active exploitation. The remote access tool has been repeatedly targeted by threat actors in recent years, with multiple critical vulnerabilities leveraged in ransomware campaigns and espionage operations. Its continued presence on the KEV catalog underscores the persistent risk that remote management tools present when left unpatched.
Windows Shell, a core component of the Windows operating system, rounds out the update, broadening the potential attack surface to virtually any Windows environment where the flaw remains unresolved.
Why the KEV Catalog Matters Beyond Government
While the KEV catalog is primarily a directive mechanism for U.S. federal agencies, it serves as a crucial reference point for private-sector security teams worldwide. The catalog is widely regarded as a high-confidence list of vulnerabilities that are being actively weaponized — meaning any organisation, regardless of jurisdiction, should treat KEV additions as a priority for patching and risk assessment.
For IT teams and developers, this latest update is a reminder that security risks extend beyond traditional enterprise software. The tools developers rely on daily — libraries, build systems, and IDE extensions — are increasingly attractive targets for adversaries seeking to compromise supply chains at their source.
Organisations should review the newly listed CVEs, assess their exposure, and apply patches or mitigations as soon as possible, particularly where developer tooling or remote access software is in use.
美國網絡安全及基礎設施安全局(CISA)已擴充其「已知被利用漏洞」(Known Exploited Vulnerabilities,KEV)目錄,新增了一系列影響廣泛使用的桌面及開發者工具的安全漏洞,包括 Daemon Tools、TanStack 和 Nx Console,以及 Windows Shell 和 ConnectWise ScreenConnect。
據於2026年5月28日報導此更新的 Security Affairs 稱,新列入目錄的漏洞均有證據表明正被積極利用。根據約束性操作指令 BOD 22-01,聯邦民用機構必須在規定期限內修補或緩解 KEV 所列漏洞,這使得及時套用修補程式成為一項合規義務,而非僅是最佳實踐。
開發者工作流程成為目標
TanStack 和 Nx Console 被列入目錄尤其值得關注。TanStack 是支撐 TanStack Query 和 TanStack Router 等工具的開源函式庫套件,在 JavaScript 和 TypeScript 生態系統中已被廣泛採用,其相關套件在 npm 上每週合計下載量達數千萬次。Nx Console 作為在企業級 monorepo 工作流程中被廣泛使用的 Nx build system 的擴展,同樣處於許多機構 CI/CD pipelines 的核心位置。
這些工具中任何一個出現漏洞都會構成嚴重的軟件供應鏈風險。攻擊者若能利用開發者信任並直接整合到 build process 中的函式庫或 IDE 擴展中的漏洞,對應用程式和部署管道造成下游入侵的可能性將會大幅增加。
桌面軟件及遙距存取工具受衝擊
Daemon Tools 是一款歷史悠久的光碟映像及虛擬光碟工具,在消費者及企業工作站上均擁有龐大的安裝基礎。這種普及性使其成為攻擊者實際的立足點——單一被利用的漏洞,只需極少偵察即可獲取數千端點的存取權限。
同樣出現在本次 KEV 新增名單中的 ConnectWise ScreenConnect,對積極利用的行為並不陌生。這款遙距存取工具近年來屢次成為威脅行為者的目標,其多個關鍵漏洞在勒索軟件攻擊及間諜行動中被利用。其持續出現於 KEV 目錄中,突顯了遙距管理工具若未及時修補所帶來的持續性風險。
Windows Shell 作為 Windows 作業系統的核心元件,為此次更新畫上句點,將潛在的攻擊面擴大至幾乎所有漏洞尚未解決的 Windows 環境。
KEV 目錄為何對政府以外的領域同樣重要
雖然 KEV 目錄主要是針對美國聯邦機構的指令性機制,但它也成為全球私營機構安全團隊的重要參考點。該目錄被廣泛視為一份高可信度的漏洞清單,這些漏洞正被積極武器化——這意味著任何機構,無論其管轄權限如何,都應將 KEV 的新增項目視為優先修補和風險評估的事項。
對於 IT 團隊和開發者而言,此次最新更新是一個警示:安全風險已超越傳統企業軟件的範疇。開發者日常依賴的工具——函式庫、build system 及 IDE 擴展——正日益成為對手企圖從源頭入侵供應鏈的誘人目標。
機構應檢視新列出的 CVE,評估自身暴露程度,並盡快套用修補程式或緩解措施,尤其是在使用開發者工具或遙距存取軟件的情況下。