RDS GoSOC AI — Field Notes AI-powered SOC + 16-framework compliance · 14-day free trial

What CISOs need to know: CISA Adds Two Known Exploited Vulnerabilities to Catalog

A breach signal from CISA Cybersecurity Advisories - and what compliance teams should do this week.

Published 2026-05-22

# What CISOs need to know: CISA Adds Two Known Exploited Vulnerabilities to Catalog

What happened

<p>CISA has added two new vulnerabilities to its <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">Known Exploited Vulnerabilities (KEV) Catalog</a>, based on evidence of active exploitation.</p> <ul> <li><a href="https://www.cve.org/CVERecord?id=CVE-2025-34291" target="_blank">CVE-2025-34291</a> Langflow Origin Validation Error Vulnerability</li> <li><a href="https://www.cve.org/CVERecord?id=CVE-2026-34926" target="_blank">CVE-2026-34926</a> Trend Micro Apex One (On-Premise) Directory Traversal Vulnerability</li> </ul> <p>These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.</p> <p><a href="https://www.cisa.gov/binding-operational-directive-22-01">Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities</a> established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remediate identified vulnerabilities by the due date to protect FCEB networks against active threats. See the <a href="https://www.cisa.gov/sites/default/files/publications/Reducing_the_Significant_Risk_of_Known_Exploited_Vulnerabilities_211103.pdf">BOD 22-01 Fact Sheet</a> for more information.</p> <p>Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation of <a href="https://www.cisa.gov/known-exploited-vulnerabilities-catalog" title="Known Exploited Vulnerabilities Catalog">KEV Catalog vulnerabilities</a> as part of their vulnerability management practice. CISA will continue to add vulnerabilities to the catalog that meet the <a href="https://www.cisa.gov/known-exploited-vulnerabilities">specified criteria</a>.&nbsp;</p>

Source: CISA Cybersecurity Advisories

Why it matters

This signal sits squarely in the 16-framework compliance coverage (NIS2 / SOC 2 / ISO 27001 / HIPAA / PCI DSS) territory. CISOs and compliance leads at mid-market EU/US organisations should map it to their control set within the next 7-14 days.

What to do this week

1. Read the source advisory in full and identify whether your environment is in scope. 2. Check existing controls against the requirement / vulnerability. 3. Document evidence of remediation or non-applicability - auditors will ask.

How RDS GoSOC AI helps

RDS GoSOC AI is a multi-tenant AI SOC + compliance platform that maps 16 frameworks (NIS2, DoD STIG, EU AI Act, SOC 2, ISO 27001, HIPAA, PCI DSS, FedRAMP, and more) into one dashboard. Start the 14-day free trial - every paid feature unlocked, no credit card. The in-app User Guide tab walks through every feature and Sage handles setup questions in-context.

Start the 14-day free trial →