U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Microsoft and Adobe flaws to its Known Exploited Vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Windows Shell and ConnectWise ScreenConnect flaws to its Known Exploited Vulnerabilities (KEV) catalog.
Below are the flaws added to the catalog:
- CVE-2008-4250 Microsoft Windows Buffer Overflow Vulnerability
- CVE-2009-1537 Microsoft DirectX NULL Byte Overwrite Vulnerability
- CVE-2009-3459 Adobe Acrobat and Reader Heap-Based Buffer Overflow Vulnerability
- CVE-2010-0249 Microsoft Internet Explorer Use-After-Free Vulnerability
- CVE-2010-0806 Microsoft Internet Explorer Use-After-Free Vulnerability
- CVE-2026-41091 Microsoft Defender Elevation of Privilege Vulnerability
- CVE-2026-45498 Microsoft Defender Denial of Service Vulnerability
CVE-2008-4250 (CVSS v3.1 score of 9.8) is a critical remote code execution flaw in the Microsoft Windows Server service, associated with the MS08-067 vulnerability. It affects older versions of Windows, including Windows XP, Server 2003, Vista, and Server 2008. Attackers can exploit it remotely by sending specially crafted RPC requests that trigger a buffer overflow during path canonicalization, allowing arbitrary code execution without authentication.
The second flaw added to the catalog (tracked as CVE-2009-1537, CVSS v2 score of 9.3) is a critical vulnerability in Microsoft DirectX caused by a NULL byte overwrite issue. It affects multiple Windows versions and can allow remote code execution if a user opens a specially crafted QuickTime media file. Successful exploitation could let attackers run arbitrary code with the privileges of the logged-in user.
The third flaw added to the catalog (tracked as CVE-2009-3459, CVSS v2 score of 9.3) is a critical heap-based buffer overflow vulnerability in Adobe Acrobat and Adobe Reader. Attackers can exploit the flaw using a specially crafted PDF file, potentially leading to arbitrary code execution on vulnerable systems when the document is opened.
The fourth flaw added to the catalog (tracked as CVE-2010-0249, CVSS v2 score of 9.3) is a critical use-after-free vulnerability in Microsoft Internet Explorer. The flaw can be triggered through malicious web content, allowing remote attackers to execute arbitrary code in the context of the current user after visiting a crafted website.
The fifth flaw added to the catalog (tracked as CVE-2010-0806, CVSS v2 score of 9.3) is another critical use-after-free vulnerability in Microsoft Internet Explorer. It affects older IE versions and allows attackers to gain remote code execution by convincing users to visit a malicious webpage containing specially crafted HTML and scripting content. The APT group GREF exploited the flaw as a zero-day in targeted attacks.
The sixth flaw added to the catalog (tracked as CVE-2026-41091, CVSS v3.1 score of 7.8) is a Microsoft Defender elevation of privilege vulnerability. Successful exploitation could allow a local attacker to gain higher privileges on the affected system, potentially enabling further compromise or lateral movement within a network.
The seventh flaw added to the catalog (tracked as CVE-2026-45498, CVSS v3.1 score of 6.5) is a denial-of-service vulnerability in Microsoft Defender. An attacker could exploit the flaw to cause security services to become unavailable or unresponsive, impacting the protection capabilities of affected Windows systems.
According to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies have to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog.
Experts also recommend that private organizations review the Catalog and address the vulnerabilities in their infrastructure.
CISA orders federal agencies to fix the vulnerabilities by June 3, 2026.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, CISA)
