The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added four vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog Thursday, including critical vulnerabilities in SolarWinds Web Help Desk (WHD) and Microsoft Configuration Manager, and additional flaws in Notepad++ and Apple operating systems.The most urgent flaw, tracked as CVE-2025-40536, is a security protection bypass in SolarWinds WHD with a CVSS score of 9.8.According to Horizon3.ai researchers who discovered the flaw, the logic SolarWinds WHD uses to perform CSRF checks uses a whitelist to validate query parameters, which can be bypassed using crafted URI parameters to access restricted functionalities without authentication.SolarWinds patched this vulnerability on Jan. 28, 2026, in version 2026.1. Microsoft reported on Feb. 6 about an active threat campaign targeting SolarWinds WHD but could not confirm whether CVE-2025-40536 or another vulnerability was being used.Federal Civilian Executive Branch (FCEB) agencies were given until Feb. 15, 2026, a three-day deadline, to patch CVE-2025-40536.A second critical vulnerability added to the KEV catalog, tracked as CVE-2024-43468, is a SQL injection vulnerability in Microsoft Configuration Manager that could lead to remote code execution (RCE). It has a critical CVSS score of 9.8 and was first disclosed in October 2024.Synacktiv researchers who discovered the vulnerability found that the getMachineID function that processes XML-based messages sent from Microsoft Configuration Manager clients to the MP_Location endpoint did not properly sanitize input before using it to construct SQL queries.The researchers were thus able to craft an XML document that executes arbitrary commands on the SQL database, which could be escalated to RCE on the underlying server by activating the xp_cmdshell procedure. This vulnerability could be exploited without authentication via an HTTP request to the internet-exposed endpoint.CVE-2024-43468 affects Microsoft Configuration Manager versions 2403, 2309 and 2303 and are addressed by security update KB29166583. Proof-of-concept (PoC) exploit code was published by Syacktiv on Nov. 26, 2024. Due to active exploitation, FCEB agencies are required to patch this vulnerability by March 5, 2026.CISA also added vulnerabilities in Apple operating systems and Notepad++ to the KEV catalog on Thursday.The Apple flaw, tracked as CVE-2026-20700, was exploited as a zero-day and patched on Feb. 11, 2026. The vulnerability, which has a high CVSS score of 7.8, could enable an attacker with memory write capability to execute arbitrary code.Apple said the flaw was potentially exploited in an “extremely sophisticated” attack involving “specific targeted individuals.”The issue was fixed in version 26.3 of iOS, iPadOS, macOS Tahoe, watchOS, tvOS and visionOS. FCEB agencies are required to patch by March 5, 2026.Lastly, a Notepad++ flaw that enabled malicious updates to be installed in a state-sponsored supply chain attack was added to the KEV catalog. The attack, which Rapid7 attributed to the China-backed threat group Lotus Blossom, stemmed from a compromise of Notepad++’s website hosting provider, which allowed the attackers to push malicious updates to some targeted users.While the initial compromise was not due to a Notepad++ vulnerability, the flaw tracked as CVE-2025-15556 enabled the malicious updates to occur due to update metadata and installers not being cryptographically verified. The flaw has a CVSS score of 7.7 and was fixed in version 8.8.9, with FCEB agencies given until March 5, 2026 to patch.
Security Operations, SOC, Vulnerability Management, Patch/Configuration Management, Threat Management
CISA adds SolarWinds, Microsoft, Apple, Notepad++ vulnerabilities to KEV catalog

(Credit: photo_gonzo – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



