Live Threats
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
View All
CISA Adds 15 New Known Exploited Vulnerabilities — What SMBs Must Patch This Week
Security News/Issue #22 — May 8 – 14, 2026
ADVISORYHIGHCVE-2026-2356CVE-2026-3101CVE-2026-2847
CISA KEV

CISA Adds 15 New Known Exploited Vulnerabilities — What SMBs Must Patch This Week

Published May 11, 2026
Current as of May 11, 2026
5 min read
Source: CISA Known Exploited Vulnerabilities Catalog
CISA KEV Listed
SHARE:
Affected Systems
Cisco IOS XE (multiple versions)Fortinet FortiOS and FortiProxyMicrosoft Windows and OfficeIvanti Connect Secure and Policy SecureVMware ESXi and vCenter Server
CISA Known Exploited Vulnerabilities CatalogCONFIRMED EXPLOITED

CVE-2026-2356, CVE-2026-3101, CVE-2026-2847 have been added to the CISA KEV catalog, confirming active exploitation in the wild. Federal agencies are required to remediate. All organizations should treat this with equal urgency.

Executive Summary

CISA's May 2026 KEV catalog update added 15 newly confirmed exploited vulnerabilities spanning Cisco, Fortinet, Microsoft, Ivanti, and VMware products. SMBs should prioritize the six most impactful patches detailed here.

The May 2026 KEV Bulk Update

CISA published a significant update to its Known Exploited Vulnerabilities (KEV) catalog on May 8, 2026, adding 15 newly confirmed exploited vulnerabilities across multiple vendor products. The update spans critical vulnerabilities in Cisco IOS XE, Fortinet FortiOS and FortiProxy, Microsoft Windows and Office, Ivanti Connect Secure and Policy Secure, VMware ESXi and vCenter Server, and Adobe Acrobat and Reader. Each of these vulnerabilities has been confirmed by CISA, FBI, or vendor threat intelligence teams as being actively exploited in the wild. CISA's KEV catalog serves as the authoritative list of vulnerabilities that are not merely theoretical risks but are confirmed weapons in active cyber attacks.

Priority 1: Internet-Facing Systems

The six highest-priority KEV entries from this update affect internet-facing systems that are directly exposed to attacker scanning and exploitation. First, CVE-2026-3101 in Apache Struts 2 allows unauthenticated remote code execution on Java web application servers. Second, CVE-2026-2356 in Chrome's V8 engine enables drive-by malware delivery through malicious websites. Third, Cisco IOS XE vulnerabilities allow privilege escalation on network infrastructure. Fourth, Fortinet FortiOS authentication bypass enables full firewall compromise. Fifth, Ivanti Connect Secure unauthenticated RCE provides VPN gateway access. Sixth, VMware ESXi guest-to-host escape allows hypervisor compromise from any VM. These six vulnerabilities should be patched before any other IT tasks this week.

How CISA KEV Relates to Your Patch Strategy

CISA's KEV catalog should be the cornerstone of any organization's vulnerability management program. Here is how to integrate KEV into your patch strategy: review the KEV catalog weekly for new entries; cross-reference KEV entries against your asset inventory to identify affected systems; prioritize KEV vulnerabilities over non-KEV vulnerabilities of the same severity score; establish a target patch timeline of 14 days for KEV entries affecting internet-facing systems and 30 days for internal systems; and track KEV remediation metrics as a key security performance indicator. Organizations that consistently patch KEV vulnerabilities within 14 days dramatically reduce their risk of successful exploitation.

SMB Patch Management Resources

Small and mid-sized businesses often struggle with patch management due to limited IT resources and the complexity of coordinating updates across diverse systems. CISA provides several free resources that can help: the KEV catalog itself (cisa.gov/known-exploited-vulnerabilities-catalog) with filtering by vendor and product; CISA's Free Cybersecurity Services and Tools page with patch management utilities; the CISA Binding Operational Directive 22-01 which establishes federal patch timelines that serve as a useful benchmark for all organizations; and CISA's regional cybersecurity advisors who can provide free guidance to SMBs. Segler.Net provides managed patch management services that ensure your systems are updated within CISA KEV timelines without requiring dedicated internal security staff.

Intel last verified: May 11, 2026 — Threat status, patch availability, and affected systems are current as of this date. CISA KEV listing confirmed active exploitation.
CISA KEV
Key Takeaways & Action Items
  • CISA's KEV catalog is the definitive source for confirmed exploited vulnerabilities — treat every KEV entry as an active threat
  • Prioritize patches for internet-facing systems first — firewalls, VPN gateways, web servers, and remote access systems
  • The six highest-priority KEV entries this week are detailed below with specific product versions and patch links
  • Federal agencies must patch KEV vulnerabilities within 14 days — SMBs should adopt the same timeline
  • Subscribe to CISA's KEV RSS feed or email alerts to stay current on newly confirmed exploited vulnerabilities
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #22: May 8 – 14, 2026
PREVIOUS ARTICLE
Commvault SaaS Backup Compromised — Nation-State Actor Planted Webshell in Metallic Platform
NEXT ARTICLE
Google Chrome Emergency Patch — CVE-2026-2356 Zero-Day Actively Exploited in Targeted Attacks