CISA stopped reliably sending KEV alerts.
We didn't.
CyberComply monitors the CISA Known Exploited Vulnerabilities catalog 24/7 and alerts you the moment a new KEV drops — before the deadline clock starts ticking without you knowing.
KEV Intelligence Brief — July 16, 2026
Audience: Federal contractors, DevOps teams, and security operations leaders Classification: Unclassified // For Official Distribution Reporting Period: July 10–15, 2026 | KEV additions: 8
Executive Summary
This week's KEV activity reinforces a clear operational trend: attackers continue prioritizing the infrastructure that enables enterprise operations rather than end-user systems. VPN gateways, identity platforms, collaboration servers, financial applications, legacy network devices, and even building automation systems all received renewed attention as CISA expanded the Known Exploited Vulnerabilities (KEV) Catalog.
The week's activity also aligns with CISA's broader messaging. In addition to these KEV additions, the agency recently issued separate alerts highlighting active exploitation of on-premises Microsoft SharePoint and warning that nation-state actors continue targeting enterprise routers and switches. Together, these developments reinforce a consistent defensive priority: organizations should focus patching and monitoring efforts on the systems that authenticate users, broker remote access, manage business operations, and sit at the enterprise edge.
Immediate Action Required: Enterprise Infrastructure Under Active Exploitation
Several vulnerabilities in this reporting period carry remediation deadlines that have already expired or will expire within the next several days. Organizations operating under BOD 26-04 should prioritize these systems immediately.
CVE-2008-4128 — Cisco IOS 12.4
Originally disclosed in 2008, this cross-site request forgery vulnerability reached the KEV Catalog with a remediation deadline of July 16. Its inclusion is notable not because of technical novelty, but because it confirms active exploitation against legacy infrastructure that remains deployed today.
The vulnerability affects Cisco IOS web management interfaces and may allow privileged commands to be executed through crafted requests. Organizations still operating IOS 12.4 should disable unnecessary HTTP/HTTPS management services, restrict administrative access to dedicated management networks, and prioritize replacement of unsupported hardware wherever possible. The recent CISA advisory on nation-state targeting of enterprise routers further underscores the importance of securing legacy network infrastructure.
CVE-2026-15409 & CVE-2026-15410 — SonicWall SMA1000
Both SonicWall vulnerabilities carry a July 17 remediation deadline.
CVE-2026-15409 allows an unauthenticated attacker to abuse a server-side request forgery (SSRF) vulnerability, while CVE-2026-15410 permits authenticated administrative users to execute arbitrary operating system commands through code injection.
Although the vulnerabilities affect different components of the appliance, their simultaneous addition to the KEV Catalog significantly increases the operational risk for internet-facing SMA1000 deployments. Organizations unable to patch immediately should restrict management access to trusted administrative networks, review exposed interfaces, and rotate privileged administrative credentials.
CVE-2026-56164 — Microsoft SharePoint Server
This missing authentication vulnerability carries a July 17 remediation deadline and should be viewed within the context of CISA's recent SharePoint hardening alert.
Rather than focusing on a single vulnerability, CISA warned that multiple SharePoint vulnerabilities are being actively exploited against on-premises deployments. Organizations should ensure all supported SharePoint servers have received Microsoft's latest cumulative updates, review Microsoft's hardening guidance, minimize unnecessary internet exposure, and investigate delayed patching for signs of compromise.
Identity and Financial Systems Become High-Value Targets
This reporting period also expands active exploitation into two of the enterprise's most sensitive control planes: identity services and financial operations.
CVE-2026-56155 — Microsoft Active Directory Federation Services (AD FS)
This privilege escalation vulnerability carries a July 28 remediation deadline.
Although exploitation requires local access, AD FS remains one of the most critical components within hybrid enterprise environments, serving as a trust anchor between on-premises Active Directory and cloud services. Organizations should prioritize patching while reviewing privileged accounts, service accounts, and recent administrative activity on federation servers.
CVE-2026-46817 — Oracle E-Business Suite
One of the most significant additions in this reporting period is CVE-2026-46817, which carries a July 18 remediation deadline.
The vulnerability allows an unauthenticated attacker with network access over HTTP to compromise Oracle Payments, potentially resulting in complete takeover of the affected component. Because Oracle E-Business Suite commonly supports financial operations, procurement, and payment processing, organizations should treat this as a high-priority remediation effort. Where immediate patching is not possible, exposure should be minimized through network segmentation and access controls while organizations evaluate systems for indicators of compromise.
Beyond Traditional IT: Web Applications and Operational Technology
Two additional KEV entries demonstrate that active exploitation continues to extend beyond traditional enterprise software.
CVE-2026-48939 — iCagenda
With a remediation deadline that expired on July 13, this Joomla event management plugin remains vulnerable to unrestricted file upload attacks capable of resulting in PHP webshell deployment.
Organizations operating affected installations should inspect upload directories, review web server logs for unauthorized activity, and verify that vulnerable plugins have been removed or updated.
CVE-2023-4346 — KNX Protocol Connection Authorization Option 1
This vulnerability affects KNX building automation environments and carries a July 29 remediation deadline.
Although unlikely to affect every organization, its inclusion in the KEV Catalog reflects CISA's continued attention to operational technology and smart-building infrastructure. Organizations responsible for KNX-enabled lighting, HVAC, physical access, or other building management systems should verify that affected deployments are appropriately segmented from enterprise IT networks and follow vendor mitigation guidance.
Intelligence Assessment
This week's KEV additions continue a trend that has become increasingly apparent throughout 2026. Rather than concentrating exclusively on desktop software or commodity applications, attackers are focusing on enterprise infrastructure that provides operational leverage once compromised. Identity platforms, collaboration servers, VPN appliances, financial systems, routers, and building management technologies all occupy privileged positions within modern organizations and therefore remain attractive targets for both financially motivated threat actors and nation-state operators.
For federal agencies and contractors operating under BOD 26-04, the immediate objective remains straightforward: meet remediation deadlines. More broadly, however, this reporting period reinforces an important strategic lesson—enterprise infrastructure should receive the same level of vulnerability management, monitoring, and incident response planning traditionally reserved for domain controllers and other mission-critical systems.
Operational Posture Summary
| CVE | Product | Deadline | Status | |---|---|---|---| | CVE-2008-4128 | Cisco IOS 12.4 | July 16 | Due today | | CVE-2026-15409/10 | SonicWall SMA1000 | July 17 | Due tomorrow | | CVE-2026-56164 | SharePoint Server | July 17 | Due tomorrow | | CVE-2026-46817 | Oracle EBS | July 18 | Due Saturday | | CVE-2026-48939 | iCagenda | July 13 | Overdue | | CVE-2026-56155 | Microsoft AD FS | July 28 | Upcoming | | CVE-2023-4346 | KNX Protocol | July 29 | Upcoming |
All eight vulnerabilities carry BOD 26-04 obligations for federal agencies and their contractors. Where patches cannot be applied before deadlines, document compensating controls, notify your ISSO, and initiate forensic triage per CISA's requirements.
Sources: CISA KEV Catalog · CISA BOD 26-04 · Microsoft Security Update Guide · SonicWall Product Security Advisories · Oracle Critical Patch Updates · Cisco Security Advisories · KNX Association Security
Free KEV Alerts
- Real-time notification the moment a KEV drops
- Vendor and product details
- BOD 26-04 remediation deadline included
Pro Alerts Coming Soon
- Real-time notification the moment a KEV drops
- Filtered to your specific vendor watchlist
- Urgency scoring (Critical / Urgent / Standard)
- Direct patch links included
Stay ahead of CISA.
Common Vulnerability and Exposure
CVEs form a database of known security vulnerabilities that are actively tracked and managed by a group of organizations, such as the U.S. National Cyber Security Alliance. CVEs are an important tool for network security management because they not only provide an inventory of existing vulnerabilities, but also provide information about how the vulnerability can be exploited and instructions on how to protect against it.
Search the KEV Catalog by Vendor or Product
Search for CVEs by vendor or product to identify known exploited vulnerabilities in your environment
Upcoming Patch Due Dates
via Binding Operational Directive 26-04
BOD 26-04 is CISA's current vulnerability remediation directive for Federal Civilian Executive Branch (FCEB) agencies, updating the KEV-driven framework introduced under BOD 22-01 with a more risk-based approach to prioritization. While binding only on FCEB agencies, its framework increasingly influences contractor expectations through procurement requirements, FedRAMP programs, and agency security clauses.
Loading...
Cyber Security News
You may have missed...
*
Inside a cyberattack: How hackers steal data
The truth about cybersecurity is that it's almost impossible to keep hackers outside of an organization, particularly as the cybercrime industry ...
CISA Adds Two Known Exploited Vulnerabilities to Catalog
These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise. Binding .....
Breaking Out of the 'We're Too Boring to Hack' Myth | Manufacturing.net
The plants getting burned are not those with the most valuable data - they're the ones that believed they had none.
AI Music App Suno Got Hacked, Giving a Glimpse of Just How Much Music It Scraped
Per 404 Media, the hacker was able to get their hands on source code from Suno between 2023 and 2024, which seems to include scraping instructions and...
Source Code Hack Reveals Suno's AI Was Trained on Millions of YouTube Songs - CNET
The hack allegedly confirms the suspicions of record labels and artists that their music is used in the creation of AI music.
Volt Typhoon hackers were in Massachusetts utility's systems for 10 months
Investigation reveals Volt Typhoon hackers maintained access to a Massachusetts utility company for nearly a year, exfiltrating operational technology...
Finland issues wanted notice for hacker behind massive psychotherapy data breach
The Supreme Court's decision leaves in place a February Court of Appeal ruling that sentenced Kivimäki to nearly seven years in prison for hacking ...
Cybersecurity Risks Grow for Agriculture - Red River Farm Network
As farms become more connected, cybersecurity is becoming a bigger concern. Chris Sherman, founder of Tech Support Farm, says many attacks ...
Air Force network lockouts hit troops and civilians | Federal News Network
Air Force employees are being locked out of their computers as cybersecurity quarantines tied to software updates disrupt work across bases and ...
Updated daily
