ACCORDING to CISA, the U.S. Cybersecurity and Infrastructure Security Agency, four flaws were added to its Known Exploited Vulnerabilities catalog: CVE-2024-43468 (CVSS 9.8) for Microsoft Configuration Manager SQL Injection, CVE-2025-15556 (CVSS 7.7) for Notepad++ Download of Code Without Integrity Check, CVE-2025-40536 (CVSS 8.1) for SolarWinds Web Help Desk Security Control Bypass, and CVE-2026-20700 (CVSS 7.8) for an Apple Multiple Buffer Overflow vulnerability.
The entry notes that the first flaw is CVE-2024-43468, an unauthenticated attacker could trigger unsafe processing to execute commands on the server or database. It also states that Apple released updates for iOS, iPadOS, macOS, watchOS, tvOS and visionOS to address CVE-2026-20700, with Google’s Threat Analysis Group reporting the issue and suggesting possible exploitation in the wild.
As part of guidance, according to Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, FCEB agencies must address the vulnerabilities by the due date, and private organisations are advised to review the catalog and fix the flaws in their infrastructure. CISA has set fixed deadlines: by March 5, 2026 for all but CVE-2025-40536, which must be solved by February 15, 2026.