CISA Adds One Known Exploited Vulnerability to Catalog
Summary
CISA has added CVE-2026-35273, an Oracle PeopleSoft vulnerability, to its Known Exploited Vulnerabilities (KEV) Catalog due to evidence of active exploitation. This addition aligns with Binding Operational Directive (BOD) 26-04, which mandates federal agencies to prioritize the remediation of exploited vulnerabilities on publicly exposed assets.
IFF Assessment
The inclusion of a new, actively exploited vulnerability in CISA's KEV catalog is bad news for defenders, as it signals an immediate threat that requires prompt attention and patching.
Severity
CISA KEV: Listed as actively exploited. Federal patch due: June 15, 2026. Known ransomware use: Known.
Defender Context
Organizations, especially federal agencies, must prioritize patching CVE-2026-35273 as it is actively exploited and present in the KEV catalog. This reinforces the need for robust vulnerability management programs that can quickly identify and remediate critical vulnerabilities.