CISA has added three new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation.
CVE-2026-25089 Fortinet FortiSandbox OS Command Injection Vulnerability
CVE-2026-39808 Fortinet FortiSandbox OS Command Injection Vulnerability
CVE-2026-58644 Microsoft SharePoint Deserialization of Untrusted Data Vulnerability
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.
Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vuln...
Read the full advisory on CISA →