Flaws in Google, Microsoft merchandise added to Cisa catalogue

Flaws within the Google Chromium net browser engine and Microsoft Home windows Video ActiveX Management are amongst six points added to the Cybersecurity and Infrastructure Safety Company’s (Cisa’s) Recognized Exploited Vulnerabilities (Kev) catalogue this week.

Their inclusion on the regularly-updated Kev checklist mandates remedial motion by companies of the US authorities by a sure date – 10 March 2026 on this occasion – however extra broadly, for personal sector organisations everywhere in the world, it serves as a well timed information to what vulnerabilities are being actively exploited within the wild and which warrant pressing consideration.

The Google Chromium difficulty, tracked as CVE-2026-2441, is a distant code execution (RCE) flaw arising from a use-after-free situation wherein the appliance continues to level to a reminiscence location after it has been freed. It’s classed as a zero-day.

Google stated it was “conscious” that an exploit for the flaw exists within the wild and has up to date the Steady channel to 145.0.7632.75/76 for Home windows and Macintosh, and 144.0.7559.75 for Linux.

The Microsoft flaw dates again nearly 20 years  and carries the identifier CVE-2008-0015. It is usually an RCE vulnerability, however it arises from a stack-based buffer overflow within the ActiveX element of Home windows Video and is triggered if a weak person might be satisfied to go to a malicious net web page.

Its reemergence now implies menace actors are utilizing it to focus on organisations that both failed or forgot to patch years in the past and are nonetheless working legacy methods and discontinued software program.

The opposite vulnerabilities on Cisa’s radar are CVE-2020-7796, a server-side request forgery (SSRF) vulnerability in Synacor Zimbra Collaboration Suite, and CVE-2024-7694 in Staff T5 ThreatSonar Anti-Ransomware, wherein a failure to correctly validate the content material of uploaded recordsdata allow a distant attacker with admin rights to add malicious recordsdata with the intention to obtain arbitrary system command.

Additionally added to the Kev catalogue this week are CVE-2026-22769, a hardcoded credential vulnerability in Dell RecoverPoint for Digital Machines that permits an unauthenticated, distant attacker to realize entry to the working system, and CVE-2021-22175, one other SSRF difficulty in GitLab.

Gunter Ollman, chief expertise officer (CTO) at Cobalt, a provider of penetration-testing companies, stated that Cisa’s newest Kev additions highlighted a persistent actuality for cyber safety execs – specifically that attackers are pragmatic, not trendy.

“They are going to exploit a brand-new Chrome heap corruption vulnerability simply as readily as a 2008-era ActiveX buffer overflow if it offers them dependable entry,” stated Ollman. “What stands out right here is the range of assault floor, from browsers and collaboration platforms to endpoint software program that’s imagined to defend towards ransomware.”

Ollman stated this strengthened a transparent want for steady, adversary-driven testing that displays the fact of how menace attackers chain exploits, SSRF flaws, and legacy weaknesses into sensible intrusion paths.

He added: “Organisations can’t deal with patching as a quarterly hygiene train. They want ongoing validation that uncovered companies, client-side software program, and defensive tooling are resilient below real-world assault circumstances. The Kev catalog is not only a listing of bugs, it’s a blueprint of what adversaries are efficiently monetising right now.”