The Cybersecurity and Infrastructure Security Agency (CISA) has once again expanded its Known Exploited Vulnerabilities (KEV) catalog, adding two new security flaws that are being actively weaponized by threat actors in the wild. The additions—affecting Linux kernel components and Palo Alto Networks’ PAN-OS—underscore the persistent threat that unpatched software poses to government agencies and private enterprises alike, and they carry with them binding operational directives that require federal civilian agencies to apply fixes within tight deadlines.
The two vulnerabilities, tracked as CVE-2025-0090 and CVE-2025-0108, were flagged by CISA on the basis of confirmed exploitation activity, according to The Hacker News. Their inclusion in the KEV catalog triggers mandatory remediation timelines under Binding Operational Directive (BOD) 22-01, which requires Federal Civilian Executive Branch (FCEB) agencies to patch listed vulnerabilities within a specified window—typically two to three weeks from the date of addition. While BOD 22-01 applies specifically to federal agencies, CISA has repeatedly urged all organizations, regardless of sector, to treat the KEV catalog as a prioritization guide for their own vulnerability management programs.
Inside the Two Vulnerabilities: What Makes Them Dangerous
The first vulnerability, a Linux kernel flaw, represents a particularly insidious class of security weakness. Kernel-level vulnerabilities are prized by attackers because successful exploitation can grant elevated privileges, allowing a threat actor who has already gained initial access to a system to escalate to root-level control. From that position, an attacker can install persistent backdoors, exfiltrate sensitive data, or move laterally across a network with minimal detection. The specific technical details of the Linux kernel flaw point to a memory management issue that can be triggered under certain conditions, giving attackers a reliable exploitation path on unpatched systems.
The second vulnerability affects Palo Alto Networks’ PAN-OS, the operating system that powers the company’s widely deployed next-generation firewalls. Flaws in firewall operating systems are especially concerning because these devices sit at the perimeter of enterprise networks, serving as the first line of defense against external threats. An exploitable weakness in PAN-OS could allow an attacker to bypass authentication mechanisms, execute arbitrary code, or gain unauthorized access to the management interface of the firewall itself. Palo Alto Networks firewalls are deployed across thousands of government agencies, financial institutions, healthcare organizations, and critical infrastructure operators, making any actively exploited vulnerability in PAN-OS a matter of national security concern.
The KEV Catalog: A Living Document With Real-World Consequences
CISA’s Known Exploited Vulnerabilities catalog has grown substantially since its inception in November 2021. Originally launched alongside BOD 22-01, the catalog was designed to move federal agencies away from a purely score-based approach to vulnerability management—where organizations prioritized patching based solely on CVSS severity ratings—toward a threat-informed model that accounts for whether a vulnerability is actually being exploited in the wild. The logic is straightforward: a medium-severity vulnerability that attackers are actively using poses a greater immediate risk than a critical-severity flaw with no known exploitation activity.
As of early 2026, the KEV catalog contains well over 1,100 entries spanning a wide range of vendors and product categories, from enterprise software and networking equipment to operating systems and web browsers. Each entry includes the CVE identifier, the affected vendor and product, a brief description of the vulnerability, the date it was added, and the deadline by which federal agencies must apply patches or mitigations. The catalog has become one of the most closely watched vulnerability intelligence resources in the cybersecurity industry, with private-sector organizations increasingly adopting it as a baseline for their own patch prioritization strategies.
Palo Alto Networks: A Recurring Target for Sophisticated Threat Actors
The addition of a PAN-OS vulnerability to the KEV catalog is not without precedent. Palo Alto Networks products have appeared in the catalog multiple times over the past two years, reflecting the intense interest that both nation-state actors and financially motivated cybercriminals have in compromising network security appliances. In late 2024, CISA added CVE-2024-0012 and CVE-2024-9474 to the catalog after threat actors were observed chaining the two PAN-OS flaws together to achieve unauthenticated remote code execution on affected firewalls. That campaign, which security researchers attributed to a suspected state-sponsored group, affected organizations across multiple sectors and prompted an emergency advisory from Palo Alto Networks urging customers to restrict management interface access.
The pattern of firewall and VPN appliance exploitation has become one of the defining characteristics of the modern threat environment. Products from Palo Alto Networks, Fortinet, Ivanti, Citrix, and Cisco have all been targeted repeatedly by advanced persistent threat (APT) groups seeking to establish footholds in high-value networks. These devices are attractive targets because they are internet-facing by design, they often run with elevated privileges, and they may not be subject to the same endpoint detection and response (EDR) monitoring that protects workstations and servers. Security researchers have warned that organizations must treat network appliance patching with the same urgency they apply to operating system and application updates.
Linux Kernel Flaws: The Hidden Risk Beneath Enterprise Infrastructure
Linux kernel vulnerabilities, meanwhile, represent a broad and persistent attack surface. Linux powers the majority of the world’s servers, cloud infrastructure, and containerized workloads, meaning that a single exploitable kernel flaw can have cascading effects across millions of systems. The kernel is the most privileged component of the operating system, and vulnerabilities that allow privilege escalation from user space to kernel space are among the most valuable tools in an attacker’s arsenal.
In recent years, several high-profile Linux kernel vulnerabilities have been added to the KEV catalog, including flaws in the netfilter subsystem, the io_uring interface, and various device drivers. The challenge for defenders is that Linux kernel updates often require system reboots, which can be disruptive in production environments. Many organizations delay kernel patching for weeks or months, creating a window of exposure that sophisticated attackers are quick to exploit. Cloud service providers and managed hosting companies face particular pressure, as they must balance the need for rapid patching against the service-level agreements they maintain with customers.
Federal Agencies Face Tightening Deadlines and Growing Pressure
For federal agencies, the addition of new entries to the KEV catalog creates immediate operational demands. Under BOD 22-01, agencies must remediate each cataloged vulnerability by the deadline specified by CISA, and they are expected to report their compliance status through the agency’s regular reporting mechanisms. The directive has been credited with significantly improving the federal government’s patch management posture, but it has also exposed the resource constraints that many agencies face. Smaller agencies with limited IT staff and legacy systems often struggle to meet the required timelines, particularly when vulnerabilities affect deeply embedded infrastructure components like operating system kernels or network appliances that require careful testing before updates can be deployed.
CISA Director Jen Easterly has repeatedly emphasized that the KEV catalog is not just a federal mandate but a resource for the entire cybersecurity community. In public remarks, Easterly has described the catalog as “the authoritative source of vulnerabilities that have been exploited in the wild” and has encouraged chief information security officers across all sectors to integrate KEV data into their vulnerability management workflows. The agency has also published supplemental guidance on how organizations can use the catalog in conjunction with other threat intelligence sources, such as the MITRE ATT&CK framework and vendor-specific advisories, to build a more comprehensive picture of their risk exposure.
What Organizations Should Do Now
For organizations running affected versions of the Linux kernel or Palo Alto Networks PAN-OS, the recommended course of action is clear: apply available patches immediately or implement the mitigations specified in the relevant vendor advisories. Palo Alto Networks has published security advisories for the PAN-OS vulnerability with detailed remediation guidance, and Linux distribution maintainers have released updated kernel packages addressing the identified flaw.
Beyond the immediate patching imperative, these latest KEV additions serve as a reminder that vulnerability management must be treated as a continuous, operationally integrated function rather than a periodic compliance exercise. Organizations that rely on periodic scanning and quarterly patch cycles are increasingly out of step with the speed at which threat actors are weaponizing newly disclosed vulnerabilities. The time between public disclosure and active exploitation has compressed dramatically—in some cases to mere days or even hours. As CISA continues to expand the KEV catalog, the message to defenders is unambiguous: if a vulnerability is being exploited in the wild, the window for remediation is not weeks. It is now.