CISA KEV Update: New Microsoft Defender and Legacy Flaws Exploited

On May 20, 2026, the Cybersecurity and Infrastructure Security Agency (CISA) expanded its Known Exploited Vulnerabilities (KEV) catalog by adding seven security flaws currently being leveraged in the wild by threat actors. According to CISA, these additions range from critical flaws in modern security software to legacy vulnerabilities that have persisted for nearly two decades. The inclusion of these items in the KEV catalog signifies that there is clear evidence of active exploitation, mandating Federal Civilian Executive Branch (FCEB) agencies to remediate them under Binding Operational Directive (BOD) 22-01.

Analysis of Legacy Technical Debt and Modern Risks

The most striking aspect of this update is the inclusion of several vulnerabilities dating back to 2008, 2009, and 2010. While these legacy flaws are often associated with retired operating systems, their presence in the KEV catalog indicates that they remain viable TTP for attackers targeting environments where legacy software is still operational.

For instance, CVE-2008-4250 is a well-known buffer overflow vulnerability in the Windows Server service. Its persistence in current threat telemetry suggests that attackers continue to find success against unpatched or decommissioned systems that have been brought back online without proper security auditing. Organizations must prioritize efforts to remediate CVE-2008-4250 in legacy systems, particularly within industrial control or air-gapped environments that may have been overlooked during standard patch cycles.

Similarly, CVE-2010-0249 and CVE-2010-0806 involve use-after-free conditions in Microsoft Internet Explorer. These vulnerabilities were historically significant during the Aurora attacks and their current exploitation likely targets organizations still utilizing legacy browser components for internal applications. Exploitation of such flaws often leads to RCE, allowing an APT to gain an initial foothold within a network.

Microsoft Defender Elevation of Privilege Mitigation

In contrast to the legacy flaws, CISA also added two vulnerabilities affecting Microsoft Defender, the primary EDR and antivirus solution for Windows environments. CVE-2026-41091 is a Privilege Escalation vulnerability that allows a local attacker to gain SYSTEM-level access. This is a critical component of the attack chain, as it facilitates Lateral Movement and the disabling of security controls.

Security teams should focus on how to detect CVE-2026-41091 exploit attempts by monitoring for unusual processes spawned by the Defender engine or unexpected modifications to registry keys associated with security services. Furthermore, CVE-2026-45498 presents a Denial of Service (DoS) risk to Microsoft Defender, potentially allowing attackers to blind the SOC by crashing the local security agent before deploying Ransomware.

Actionable Recommendations and Remediation

To defend against these threats, organizations should adopt a multi-layered approach to vulnerability management. CISA urges all entities to treat these CVE entries as high-priority tasks regardless of their CVSS score, as active exploitation is the most accurate predictor of risk.

1. Comprehensive Inventory: Conduct a full asset discovery to identify systems running legacy versions of Adobe Acrobat (CVE-2009-3459) or Internet Explorer components. If these cannot be patched, they must be isolated or decommissioned.
2. Automate Defender Updates: Ensure that Microsoft Defender signatures and engine versions are automatically updated across the fleet to address CVE-2026-41091 and CVE-2026-45498.
3. Network Segmentation: Implement strict segmentation to prevent a compromise of a legacy system from leading to a wider breach.
4. Log Monitoring: Integrate SIEM alerts for known exploit patterns associated with these vulnerabilities, particularly for the NULL byte overwrite in DirectX (CVE-2009-1537).