Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

U.S. CISA Adds Microsoft and Adobe Flaws to Its Known Exploited Vulnerabilities Catalog: A Wake-Up Call for Organizations Worldwide


U.S. CISA adds Microsoft and Adobe flaws to its Known Exploited Vulnerabilities catalog, serving as a stark reminder to organizations worldwide to prioritize patch management and bolster their defenses against sophisticated threats.

  • US Cybersecurity and Infrastructure Security Agency (CISA) has added Microsoft and Adobe vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog.
  • CISA has identified high-severity vulnerabilities in popular software applications, including Windows Shell and ConnectWise ScreenConnect from Microsoft, and Adobe Acrobat and Reader.
  • The first vulnerability, CVE-2008-4250, is a critical remote code execution flaw in the MS08-067 vulnerability affecting older versions of Windows.
  • The second vulnerability, CVE-2009-1537, is a critical vulnerability in Microsoft DirectX caused by a NULL byte overwrite issue.
  • The third vulnerability, CVE-2009-3459, is a critical heap-based buffer overflow vulnerability in Adobe Acrobat and Adobe Reader.
  • CISA has also identified vulnerabilities in Microsoft Internet Explorer, including CVE-2010-0249 and CVE-2010-0806.
  • Private organizations are advised to review the KEV catalog and address the vulnerabilities in their infrastructure by June 3, 2026.



    • The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a slew of critical vulnerabilities from Microsoft and Adobe to its Known Exploited Vulnerabilities (KEV) catalog, serving as a stark reminder to organizations worldwide to prioritize patch management and bolster their defenses against sophisticated threats.

    In a move that underscores the evolving threat landscape, CISA has identified several high-severity vulnerabilities in popular software applications, including Windows Shell and ConnectWise ScreenConnect from Microsoft, and Adobe Acrobat and Reader. These flaws, which have been tracked with critical severity scores of 9.8, 9.3, and 9.3 respectively, pose a significant risk to organizations that fail to address them promptly.

    The first vulnerability added to the KEV catalog, CVE-2008-4250, is a critical remote code execution flaw in the Microsoft Windows Server service, associated with the MS08-067 vulnerability. This flaw affects older versions of Windows, including Windows XP, Server 2003, Vista, and Server 2008, making it a prime target for attackers seeking to exploit a broad attack surface.

    The second vulnerability added to the catalog, CVE-2009-1537, is a critical vulnerability in Microsoft DirectX caused by a NULL byte overwrite issue. This flaw affects multiple Windows versions and can allow remote code execution if a user opens a specially crafted QuickTime media file, underscoring the need for organizations to exercise extreme caution when deploying media content.

    The third vulnerability added to the catalog, CVE-2009-3459, is a critical heap-based buffer overflow vulnerability in Adobe Acrobat and Adobe Reader. Attackers can exploit this flaw using a specially crafted PDF file, potentially leading to arbitrary code execution on vulnerable systems when the document is opened.

    Furthermore, CISA has identified two additional vulnerabilities in Microsoft Internet Explorer, CVE-2010-0249 and CVE-2010-0806, both of which pose significant risks due to their use-after-free vulnerability characteristics. These flaws can be triggered through malicious web content, allowing remote attackers to execute arbitrary code in the context of the current user after visiting a crafted website.

    In addition, CISA has also added two more vulnerabilities to its catalog: CVE-2026-41091, a Microsoft Defender elevation of privilege vulnerability, and CVE-2026-45498, a denial-of-service vulnerability in Microsoft Defender. While these flaws may not be as severe as their counterparts, they still present a significant risk to organizations that fail to address them promptly.

    According to the Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to fix the identified vulnerabilities by June 3, 2026. Private organizations are also advised to review the KEV catalog and address the vulnerabilities in their infrastructure.

    Experts stress that this development serves as a wake-up call for organizations worldwide to prioritize patch management and bolster their defenses against sophisticated threats. As CISA continues to update its catalog with new vulnerabilities, it is essential for organizations to stay vigilant and proactive in addressing these risks to avoid becoming the next high-profile victim of a targeted attack.

    In conclusion, the addition of Microsoft and Adobe flaws to the KEV catalog underscores the evolving threat landscape and the critical need for organizations to prioritize patch management and bolster their defenses against sophisticated threats. As CISA continues to update its catalog with new vulnerabilities, it is essential for organizations to stay vigilant and proactive in addressing these risks.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/US-CISA-Adds-Microsoft-and-Adobe-Flaws-to-Its-Known-Exploited-Vulnerabilities-Catalog-A-Wake-Up-Call-for-Organizations-Worldwide-ehn.shtml

  • https://securityaffairs.com/192508/security/u-s-cisa-adds-microsoft-and-adobe-flaws-to-its-known-exploited-vulnerabilities-catalog.html

  • https://www.cisa.gov/news-events/alerts/2026/04/13/cisa-adds-seven-known-exploited-vulnerabilities-catalog

  • https://nvd.nist.gov/vuln/detail/CVE-2008-4250

  • https://www.cvedetails.com/cve/CVE-2008-4250/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-1537

  • https://www.cvedetails.com/cve/CVE-2009-1537/

  • https://nvd.nist.gov/vuln/detail/CVE-2009-3459

  • https://www.cvedetails.com/cve/CVE-2009-3459/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-0249

  • https://www.cvedetails.com/cve/CVE-2010-0249/

  • https://nvd.nist.gov/vuln/detail/CVE-2010-0806

  • https://www.cvedetails.com/cve/CVE-2010-0806/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-41091

  • https://www.cvedetails.com/cve/CVE-2026-41091/

  • https://nvd.nist.gov/vuln/detail/CVE-2026-45498

  • https://www.cvedetails.com/cve/CVE-2026-45498/

  • https://securityaffairs.com/178442/hacking/connectwise-cyberattack-sophisticated-nation-state-actor.html

  • https://cybersecuritynews.com/connectwise-hacked/

  • https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/

  • https://github.com/domsum03/Researched-Top-APT-Groups

  • https://en.wikipedia.org/wiki/Anonymous_(hacker_group)

  • https://github.com/cjjduck/ms08_067_walkthrough

  • https://blog.razzsecurity.com/2025/04/27/windows-penetration-testing/windows-xp-penetration-testing-ms08-067-smb-exploit-1/

  • https://learn.microsoft.com/en-us/unified-secops/microsoft-threat-actor-naming

  • https://grabtheaxe.com/news/basic-fit-breach-adobe-zero-day-apt41-04-13-2026/

  • https://gbhackers.com/paper-werewolf-apt/

  • https://cyberpress.org/paper-werewolf-delivers-echogather/

  • https://cyberpress.org/hackers-exploit-internet-explorer-zero-day-vulnerability/

  • https://securityaffairs.com/169983/apt/north-korea-apt37-ie-zero-day.html

  • https://www.cvedetails.com/cve/CVE-2009-3459


    • Published: Thu May 21 17:08:28 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us