<!-- curated:true -->
# [HIGH] CISA Adds 4 Exploited Flaws to KEV, Sets May 2026 Federal Deadline

**Source:** The Hacker News
**Published:** 2026-04-21
**Article:** https://thehackernews.com/2026/04/cisa-adds-4-exploited-flaws-to-kev-sets.html
**Curated:** Analyst-reviewed 2026-04-28

## Threat profile

CISA added 4 actively-exploited CVEs to the **Known Exploited Vulnerabilities (KEV)** catalog with a federal patch deadline in **May 2026**. KEV inclusion is the strongest possible signal: only CVEs **observed exploited in the wild** make it. Federal civilian agencies are *required* to patch by the deadline; sensible enterprises follow the same prioritisation.

Cross-reference the matching individual KEV briefings in this archive (open `briefings/INDEX.md` and search the same date range) for the per-CVE detail, vendor/product, and asset-exposure queries.

## Indicators of Compromise

- The 4 CVEs themselves (see source article and our `intel/iocs.csv` for the latest full KEV slice).
- Each CVE in this batch has a corresponding `CISA KEV: CVE-...` briefing in `briefings/<date>/cisa-kev-cve-...md` with a per-CVE asset-exposure query.

## MITRE ATT&CK (analyst-validated)

- **T1190** — Exploit Public-Facing Application (KEV implies in-the-wild exploitation against exposed assets)
- Per-CVE techniques vary; consult the source vendor advisory for each.

## Recommended SOC actions (priority-ordered)

1. **Pull the 4 CVEs from `intel/iocs.csv`** — they're already in our feed under `cisa-kev` source attribution. Sort by `first_seen` to find the new entries.
2. **Run the asset-exposure query** below across all 4 CVEs.
3. **Patch by the deadline.** If you're a federal contractor, the deadline applies to you contractually. If not, treat it as an aggressive but reasonable target.
4. **Hunt for post-exploitation.** Patching closes the door; it doesn't evict an attacker who's already inside. Use the per-CVE briefings to drive hunt scope.

## Splunk SPL — exposure across all current KEV adds (last 14 days)

```spl
| tstats `summariesonly` count min(_time) AS firstTime max(_time) AS lastTime
    from datamodel=Vulnerabilities
    where Vulnerabilities.cve!=""
      AND Vulnerabilities.severity IN ("high","critical")
    by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.severity,
       Vulnerabilities.cve, Vulnerabilities.cvss
| `drop_dm_object_name(Vulnerabilities)`
| where firstTime > relative_time(now(),"-14d")
| sort - severity
```

## Splunk SPL — KEV CVEs from this article (replace placeholders with actual CVE list)

```spl
`comment("Replace the IN list with the 4 CVEs from the article")`
| tstats `summariesonly` count
    from datamodel=Vulnerabilities
    where Vulnerabilities.signature IN ("CVE-2026-XXXX","CVE-2026-YYYY","CVE-2026-ZZZZ","CVE-2026-AAAA")
    by Vulnerabilities.dest, Vulnerabilities.signature, Vulnerabilities.severity
| `drop_dm_object_name(Vulnerabilities)`
| sort - severity
```

## Defender KQL — exposure to all KEV adds today

```kql
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel in ("Critical","High")
| join kind=inner DeviceInfo on DeviceId
| join kind=inner DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where IsExploitAvailable == true
| project DeviceName, OSPlatform, CveId, VulnerabilitySeverityLevel,
          RecommendedSecurityUpdate, PublishedDate
| order by PublishedDate desc
```

## Defender KQL — pull all CISA-KEV-tagged CVEs for inventory

```kql
DeviceTvmSoftwareVulnerabilities
| where CveId startswith "CVE-2026"
| join kind=inner DeviceTvmSoftwareVulnerabilitiesKB on CveId
| where IsExploitAvailable == true
| join kind=inner DeviceInfo on DeviceId
| summarize devices = make_set(DeviceName) by CveId, VulnerabilitySeverityLevel, RecommendedSecurityUpdate
| order by VulnerabilitySeverityLevel desc
```

## Why this matters for your SOC

KEV is **the most operationally-actionable single feed in the industry** because it filters out theoretical vulnerabilities and only flags ones observed exploited. The May 2026 deadline is a forcing function: even if your patch cadence is sluggish, KEV gives you cover with leadership ("federal mandate, 30-day clock") to break the queue. Drop these 4 CVEs into the top of your patch backlog this week. The matching per-CVE briefings in this repo provide ready-to-paste vuln-exposure SPL/KQL.