The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added five new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, signaling confirmed active exploitation in the wild. The additions include a Microsoft Office zero-day being exploited by Russian state-sponsored actors within days of disclosure.
January 26, 2026 additions
| CVE ID | CVSS | Product | Vulnerability Type | Deadline |
|---|
| CVE-2026-21509 | 7.8 | Microsoft Office | Security Feature Bypass | Feb 16, 2026 |
| CVE-2018-14634 | 7.8 | Linux Kernel | Integer Overflow | Feb 16, 2026 |
| CVE-2025-52691 | 9.8 | SmarterTools SmarterMail | Unrestricted File Upload | Feb 16, 2026 |
| CVE-2026-23760 | 9.1 | SmarterTools SmarterMail | Authentication Bypass | Feb 16, 2026 |
| CVE-2026-24061 | 8.1 | GNU InetUtils | Argument Injection | Feb 16, 2026 |
CVE-2026-21509: Microsoft Office zero-day
Overview
Microsoft released an out-of-band emergency patch on January 27, 2026, to address CVE-2026-21509, a security feature bypass vulnerability affecting multiple Office products. The vulnerability was added to KEV just one day after disclosure due to confirmed state-sponsored exploitation.
Technical details
| Attribute | Value |
|---|
| CVE | CVE-2026-21509 |
| CVSS Score | 7.8 (High) |
| CWE | CWE-357 (Insufficient UI Warning) |
| Attack Vector | Local (requires user interaction) |
| Impact | OLE mitigation bypass |
| User Interaction | Opening malicious Office file |
The vulnerability stems from the application’s reliance on untrusted inputs when making security decisions, allowing attackers to bypass Object Linking and Embedding (OLE) security mitigations. This exposes users to vulnerable COM/OLE controls that Microsoft had previously blocked.
Discovery credits
| Organization | Role |
|---|
| Microsoft Threat Intelligence Center (MSTIC) | Discovery and attribution |
| Microsoft Security Response Center (MSRC) | Vulnerability analysis |
| Office Product Group Security Team | Patch development |
| Google Threat Intelligence Group (GTIG) | Independent discovery |
The joint credit to both Microsoft and Google suggests multiple independent discoveries, likely driven by observed exploitation attempts.
Affected products
| Product | Status |
|---|
| Microsoft Office 2016 | Interim mitigations available |
| Microsoft Office 2019 | Interim mitigations available |
| Microsoft Office LTSC 2021 | Patch available |
| Microsoft Office LTSC 2024 | Patch available |
| Microsoft 365 Apps for Enterprise | Patch available (service-side) |
Active exploitation: Operation Neusploit
Attribution: Microsoft Threat Intelligence Center (MSTIC) confirmed that APT28 (Fancy Bear/UAC-0001)—a Russian GRU-linked threat actor—is actively exploiting CVE-2026-21509.
| Campaign attribute | Details |
|---|
| Campaign name | Operation Neusploit |
| Threat actor | APT28 / Fancy Bear / UAC-0001 |
| Attribution | Russia’s GRU (Unit 26165) |
| Time to weaponization | <24 hours after disclosure |
| Targets | Ukraine, Slovakia, Romania |
| Target count | 60+ email addresses (CERT-UA) |
Attack chain variants
Zscaler ThreatLabz identified two attack chain variants:
| Variant | Payload | Purpose |
|---|
| Variant 1 | MiniDoor | Outlook email-stealing malware |
| Variant 2 | PixyNetLoader → Covenant Grunt | Full C2 implant |
Both variants begin with a specially crafted RTF file that weaponizes CVE-2026-21509 and downloads a malicious dropper DLL from the threat actor’s server.
| Version | Action |
|---|
| Microsoft 365 / Office 2021+ / LTSC | Apply final patch immediately |
| Office 2016 | Update to 16.0.5539.1001+ |
| Office 2019 | Update to 16.0.10417.20095+ |
CVE-2018-14634: Linux kernel integer overflow
Why a 2018 CVE matters now
This addition highlights a critical reality: attackers continue exploiting old vulnerabilities that organizations have overlooked or failed to patch.
| Attribute | Value |
|---|
| CVE | CVE-2018-14634 |
| CVSS | 7.8 (High) |
| Age | Nearly 8 years old |
| Type | Integer overflow in create_elf_tables() |
| Impact | Local privilege escalation |
| Root cause | Unpatched legacy systems |
CVE-2018-14634 is an integer overflow in the Linux kernel’s create_elf_tables() function that can lead to privilege escalation. Despite being nearly eight years old, active exploitation demonstrates that unpatched systems remain targets.
Affected distributions
| Distribution | Status |
|---|
| Red Hat Enterprise Linux 6 | EOL, no patches |
| Red Hat Enterprise Linux 7 | Patch available |
| CentOS 6/7 | Mirror RHEL status |
| Oracle Linux | Patch available |
| Derivatives | Check vendor advisories |
Why old CVEs persist
| Factor | Explanation |
|---|
| Legacy systems | Production systems that “can’t” be updated |
| Air-gapped environments | Infrequent patching cycles |
| EOL software | No patches available |
| Patch fatigue | Old CVEs deprioritized |
| Unknown inventory | Systems forgotten by IT |
Organizations cannot assume old CVEs are no longer relevant. Attackers specifically target known vulnerabilities hoping patches have been missed.
SmarterMail vulnerabilities
Two critical flaws in SmarterTools SmarterMail, a popular email server platform:
CVE-2025-52691: Unrestricted file upload
| Attribute | Value |
|---|
| CVSS | 9.8 (Critical) |
| Type | Unrestricted file upload |
| Authentication | None required |
| Impact | Remote code execution |
Allows unauthenticated attackers to upload arbitrary files, potentially achieving remote code execution on the mail server.
CVE-2026-23760: Authentication bypass
| Attribute | Value |
|---|
| CVSS | 9.1 (Critical) |
| Type | Authentication bypass |
| Authentication | None required |
| Impact | Full administrative access |
Enables attackers to bypass authentication mechanisms entirely, gaining administrative access to the email platform.
Combined impact
Email servers are high-value targets. Compromise provides access to:
| Asset | Risk |
|---|
| Email content | Business communications, sensitive data |
| Attachments | Documents, credentials |
| Contact lists | Phishing target identification |
| Credentials | Password reuse across systems |
| Internal communications | Business intelligence |
| Launching point | BEC, lateral movement |
CVE-2026-24061: GNU InetUtils argument injection
| Attribute | Value |
|---|
| CVE | CVE-2026-24061 |
| CVSS | 8.1 (High) |
| Product | GNU InetUtils |
| Type | Argument injection |
| Impact | Command execution |
An argument injection vulnerability in GNU InetUtils (commonly used networking utilities including ftp, telnet, rsh, rlogin) that can be exploited for command execution.
Affected utilities
| Utility | Common use |
|---|
| ftp | File transfer |
| telnet | Remote access |
| rsh | Remote shell |
| rlogin | Remote login |
| tftp | Trivial file transfer |
Compliance requirements
Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate KEV catalog vulnerabilities by specified due dates.
| Deadline | Vulnerabilities | Scope |
|---|
| February 16, 2026 | All five January 26 additions | FCEB agencies |
BOD 22-01 requirements
| Requirement | Details |
|---|
| Scope | All FCEB agencies |
| Compliance | Mandatory, not optional |
| Timeline | Specified per vulnerability |
| Reporting | Agency-level tracking |
| Exceptions | Limited, require approval |
Private sector guidance
While BOD 22-01 only applies to federal agencies, CISA strongly recommends all organizations:
| Action | Rationale |
|---|
| Prioritize KEV vulnerabilities | Confirmed real-world attack vectors |
| Use KEV for patch prioritization | Not all CVEs are equal |
| Track KEV additions | Subscribe to CISA alerts |
| Integrate into vuln management | Automated prioritization |
| Reduce remediation windows | KEV items shouldn’t wait for normal cycles |
Earlier January 2026 KEV additions
January 22, 2026 additions
| CVE ID | Product | Issue |
|---|
| CVE-2026-21798 | Vite | Build tool vulnerability |
| CVE-2026-20103 | Versa Concerto | Network management flaw |
| CVE-2026-19842 | eslint-config-prettier | Supply chain compromise |
| CVE-2026-18731 | Zimbra Collaboration Suite | Email platform vulnerability |
The eslint-config-prettier entry is notable—it represents supply chain compromise where malicious code was embedded in a legitimate npm package, demonstrating that KEV now tracks software supply chain attacks.
KEV catalog statistics
| Metric | Value |
|---|
| Total KEV entries | 1,200+ |
| 2026 additions (YTD) | 45+ |
| Average monthly additions | 15-20 |
| Covered vendors | 200+ |
| Age range | 2002-2026 |
Recommendations
For security teams
| Priority | Action |
|---|
| Immediate | Patch CVE-2026-21509 across all Office installations |
| Immediate | Verify SmarterMail patching status |
| High | Audit for CVE-2018-14634 on Linux systems |
| High | Review GNU InetUtils deployments |
| Ongoing | Monitor KEV catalog for additions |
For vulnerability management programs
| Practice | Implementation |
|---|
| KEV integration | Flag KEV entries for priority remediation |
| Reduced SLAs | KEV items should not wait for normal patch cycles |
| Coverage tracking | Report on KEV vulnerability closure rates |
| Historical review | Scan for older KEV entries that may have been missed |
| Automated alerting | Subscribe to CISA KEV RSS/JSON feeds |
Detection guidance
| Vulnerability | Detection approach |
|---|
| CVE-2026-21509 | RTF files with OLE objects from external sources |
| CVE-2018-14634 | Kernel version auditing, privilege escalation monitoring |
| SmarterMail CVEs | Web application scanning, auth log monitoring |
| CVE-2026-24061 | InetUtils version checking |
Context
The KEV catalog has become a critical prioritization tool for vulnerability management. Unlike CVSS scores alone—which measure theoretical severity—KEV entries represent confirmed exploitation, making them reliable indicators of real-world risk.
| KEV advantage | Explanation |
|---|
| Confirmed exploitation | Not theoretical risk |
| Continuous updates | Real-time threat intelligence |
| Clear deadlines | Actionable timelines |
| Cross-vendor coverage | Comprehensive scope |
| Free resource | No subscription required |
The January 26 additions demonstrate the catalog’s value:
- APT28 exploitation of CVE-2026-21509 shows state-sponsored targeting within days of disclosure
- CVE-2018-14634 proves old vulnerabilities remain dangerous
- SmarterMail flaws highlight risks in commonly overlooked infrastructure
- Supply chain entries expand KEV’s scope beyond traditional vulnerabilities
Organizations should treat KEV additions as actionable intelligence requiring immediate attention, not just another item in the patching queue. The rapid weaponization of CVE-2026-21509 by APT28—within 24 hours of disclosure—demonstrates that patch windows are shrinking for high-value vulnerabilities.
