CISA has added one new vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation, in a release dated 16 March 2026. The newly listed issue is CVE-2025-47813 Wing FTP Server Information Disclosure Vulnerability, described as a frequent attack vector for malicious cyber actors and a significant risk to the federal enterprise.
The KEV Catalog is described as a living list of known CVEs that carry significant risk to the federal enterprise, with Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities shaping its use. According to BOD 22-01, Federal Civilian Executive Branch (FCEB) agencies must remediate identified vulnerabilities by the due date to protect FCEB networks against active threats.
Although the directive applies to FCEB agencies, CISA urges all organisations to prioritise timely remediation of KEV Catalog vulnerabilities as part of their vulnerability management practice.