U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds SolarWinds Web Help Desk, Notepad++, Microsoft Configuration Manager, and Apple devices flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added SolarWinds Web Help Desk, Notepad++, Microsoft Configuration Manager, and Apple devices flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2024-43468 (CVSS score 9.8) Microsoft Configuration Manager SQL Injection Vulnerability
- CVE-2025-15556 (CVSS score 7.7) Notepad++ Download of Code Without Integrity Check Vulnerability
- CVE-2025-40536 (CVSS score 8.1) SolarWinds Web Help Desk Security Control Bypass Vulnerability
- CVE-2026-20700 (CVSS score 7.8) Apple Multiple Buffer Overflow Vulnerability
The first flaw added to the catalog is a Microsoft Configuration Manager SQL Injection Vulnerability tracked as CVE-2024-43468. An unauthenticated attacker could send specially crafted requests to the system and trigger unsafe processing, allowing them to execute commands on the server or underlying database.
The second flaw added to the catalog is a Notepad++ Download of Code Without Integrity Check tracked as CVE-2025-15556. Vulnerability. Notepad++ versions before 8.8.9 using WinGUp have a flaw where updates aren’t verified. An attacker intercepting update traffic can make the updater run a malicious installer, allowing arbitrary code execution with the user’s privileges.
The third flaw added to the catalog is a security control bypass vulnerability, tracked as CVE-2025-40536, that could allow an unauthenticated attacker to access certain restricted functionality within Web Help Desk. While more limited in scope than the critical flaws, successful exploitation could still expose sensitive features and weaken the application’s overall security posture.
The last flaw added to the catalog is an Apple Multiple Buffer Overflow Vulnerability tracked as CVE-2026-20700.
This week, Apple released updates for iOS, iPadOS, macOS, watchOS, tvOS, and visionOS to address an actively exploited zero-day tracked as CVE-2026-20700. The flaw is a memory corruption issue in Apple’s Dynamic Link Editor (dyld) that lets attackers execute arbitrary code on vulnerable devices.
Google’s Threat Analysis Group discovered and reported the issue, a circumstance that suggests the flaw may have been exploited by nation-state actors or commercial spyware vendors in attacks in the wild.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by March 5, 2026, except CVE-2025-40536, which must be solved by February 15, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
