What CISOs need to know: CISA Adds Four Known Exploited Vulnerabilities to Catalog
A breach signal from CISA Cybersecurity Advisories - and what compliance teams should do this week.
Published 2026-07-14
# What CISOs need to know: CISA Adds Four Known Exploited Vulnerabilities to Catalog
What happened
<p>CISA has added four new vulnerabilities to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p> <ul type="square"> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-15409" target="_blank">CVE-2026-15409</a> SonicWall SMA1000 Appliances Server-Side Request Forgery Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-15410" target="_blank">CVE-2026-15410</a> SonicWall SMA1000 Appliances Code Injection Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-56155" target="_blank">CVE-2026-56155</a> Microsoft Active Directory Federation Services Insufficient Granularity of Access Control Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-56164" target="_blank">CVE-2026-56164</a> Microsoft SharePoint Server Missing Authentication for Critical Function Vulnerability</li> </ul> <p>These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise.</p> <p><a href="https://www.cisa.gov/news-events/directives/bod-26-04-implementation-guidance-prioritizing-security-updates-based-risk">Binding Operational Directive (BOD) 26-04: Prioritizing Security Updates Based on Risk</a> establishes vulnerability management requirements for Federal Civilian Executive Branch (FCEB) agencies. BOD 26-04 reinforces the importance of the KEV Catalog and requires federal agencies to prioritize rapid remediation of high-risk vulnerabilities, specifically those identified by Common Vulnerabilities and Exposures (CVEs) listed in CISA’s KEV Catalog on publicly exposed assets that grant total control of the asset post-exploitation, while deferring action for lower-risk vulnerabilities. BOD 26-04 further establishes basic expectations for when agencies must check whether threat actors compromised the system before the patch was applied.</p> <p>While BOD 26-04 applies only to FCEB agencies, CISA encourages all organizations to adopt risk-based vulnerability management and prioritize remediation of <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog">KEV Catalog vulnerabilities</a>. CISA will continue to add vulnerabilities to the catalog that meet the <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog/reducing-significant-risk-known-exploited-vulnerabilities">specified criteria</a>.</p> <p>Aware of an exploited vulnerability not currently listed in the KEV Catalog? Submit it for potential addition through CISA’s <a class="ext" href="https://cisasurvey.gov1.qualtrics.com/jfe/form/SV_1Zwu52kgK2OYf3w" target="_blank">KEV Nomination Form</a>. Potential KEV additions must have a CVE ID, evidence of exploitation, and clear mitigation guidance. </p>
Source: CISA Cybersecurity Advisories
Why it matters
This signal sits squarely in the 16-framework compliance coverage (NIS2 / SOC 2 / ISO 27001 / HIPAA / PCI DSS) territory. CISOs and compliance leads at mid-market EU/US organisations should map it to their control set within the next 7-14 days.
What to do this week
1. Read the source advisory in full and identify whether your environment is in scope. 2. Check existing controls against the requirement / vulnerability. 3. Document evidence of remediation or non-applicability - auditors will ask.
How RDS GoSOC AI helps
RDS GoSOC AI is a multi-tenant AI SOC + compliance platform that maps 16 frameworks (NIS2, DoD STIG, EU AI Act, SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, and more) into one dashboard. Start the 14-day free trial - every paid feature unlocked, no credit card. The in-app User Guide tab walks through every feature and Sage handles setup questions in-context.
---
#MSP #ManagedServices #CMMC #FedRamp #CyberSecurity #SOC #SecurityOperations #MSSP #ThreatDetection #Compliance #CloudSecurity #IdentitySecurity #SecurityMonitoring #ITServices #CyberResilience #ManagedSecurity #BusinessGrowth