CISA Adds Two Known Exploited Vulnerabilities to Catalog

CISA has updated its Known Exploited Vulnerabilities (KEV) Catalog with two new vulnerabilities. These vulnerabilities, CVE-2026-21385 and CVE-2026-22719, are actively being exploited by malicious actors. The vulnerabilities involve memory corruption in Qualcomm chipsets and command injection in VMware Aria Operations. These types of vulnerabilities are high-risk attack vectors for cyberattacks. The KEV Catalog is a list of known CVEs posing significant risks. Binding Operational Directive 22-01 mandates FCEB agencies to remediate these vulnerabilities. Agencies must meet specific deadlines for remediation to protect their networks. While BOD 22-01 primarily targets federal agencies, CISA recommends all organizations prioritize KEV remediation. Timely remediation of KEV vulnerabilities is crucial for effective vulnerability management. CISA will continuously update the KEV catalog with any newly discovered critical vulnerabilities.