CISA Updates KEV Catalog with New Vulnerabilities from SolarWinds, Microsoft, Apple, and Notepad++

Post Views: 10

US CISA Adds Four Vulnerabilities to Known Exploited Vulnerabilities Catalog

The US Cybersecurity and Infrastructure Security Agency (CISA) has added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for federal agencies to patch critical security flaws in software from SolarWinds, Microsoft, Apple, and Notepad++.

Critical Vulnerability in SolarWinds Web Help Desk

A critical vulnerability in SolarWinds Web Help Desk (WHD) has been identified as a top priority for patching. Tracked as CVE-2025-40536, the security protection bypass flaw has a CVSS score of 9.8, indicating a high level of severity.

According to researchers at Horizon3.ai, the vulnerability can be exploited by crafting specific URI parameters to bypass authentication and access restricted functionalities.

SolarWinds released a patch for this vulnerability on January 28, 2026, in version 2026.1. Federal Civilian Executive Branch (FCEB) agencies have been given a deadline of February 15, 2026, to apply the patch.

Critical SQL Injection Vulnerability in Microsoft Configuration Manager

Microsoft Configuration Manager is also affected by a critical SQL injection vulnerability, tracked as CVE-2024-43468. This flaw has a CVSS score of 9.8 and can lead to remote code execution (RCE).

Researchers at Synacktiv discovered that the vulnerability can be exploited without authentication via an HTTP request to an internet-exposed endpoint.

The vulnerability affects Microsoft Configuration Manager versions 2403, 2309, and 2303, and is addressed by security update KB29166583. FCEB agencies have been given a deadline of March 5, 2026, to patch this vulnerability.

Vulnerabilities in Apple and Notepad++

In addition to these critical vulnerabilities, CISA has also added flaws in Apple operating systems and Notepad++ to the KEV catalog. The Apple vulnerability, tracked as CVE-2026-20700, was exploited as a zero-day and patched on February 11, 2026.

This flaw has a high CVSS score of 7.8 and could enable an attacker with memory write capability to execute arbitrary code. Apple has stated that the flaw was potentially exploited in an “extremely sophisticated” attack involving “specific targeted individuals.”

A vulnerability in Notepad++ has also been added to the KEV catalog, tracked as CVE-2025-15556. This flaw has a CVSS score of 7.7 and enabled malicious updates to be installed due to update metadata and installers not being cryptographically verified.

The flaw was fixed in version 8.8.9 of Notepad++, and FCEB agencies have been given a deadline of March 5, 2026, to patch.

Conclusion

These vulnerabilities highlight the ongoing need for organizations to prioritize patching and vulnerability management to protect against cyber threats.

About Author

Vaibhav

See author's posts

CISA Updates KEV Catalog with New Vulnerabilities from SolarWinds, Microsoft, Apple, and Notepad++

US CISA Adds Four Vulnerabilities to Known Exploited Vulnerabilities Catalog

Critical Vulnerability in SolarWinds Web Help Desk